Scuto is launching soon — book a demo to get early access Book demo →
Scuto Scuto
Terms

Terms of Service

The agreement governing your use of the Scuto security platform.

Last updated: March 1, 2026 · Effective date: March 1, 2026

You own your data

Scan results, vulnerability findings, and all customer data remain your property.

Self-hosted deployment

For self-hosted customers, Scuto has zero access to your environment or data.

EU-registered company

SCUTO SRL is registered in Romania (EU). Governed by Romanian and EU law.

Transparent billing

30-day notice on price changes and prorated upgrades.

Table of Contents
  1. Acceptance of Terms
  2. Definitions
  3. Description of Services
  4. Authorization and Scope of Testing
  5. Account Registration and Security
  6. Subscription Plans, Fees, and Billing
  7. Acceptable Use Policy
  8. Customer Data and Content
  9. Data Processing and Privacy
  10. Data Security
  11. Data Retention and Deletion
  12. Confidentiality
  13. Intellectual Property
  14. Service Level Agreement
  15. Third-Party Services and Integrations
  16. Warranties and Disclaimers
  17. Limitation of Liability
  18. Indemnification
  19. Term and Termination
  20. Export Controls
  21. Modifications to Terms
  22. Governing Law and Dispute Resolution
  23. General Provisions
  24. Self-Hosted Deployment Terms
  25. Contact Information

1. Acceptance of Terms

By accessing, registering for, or using Scuto's services (the "Services"), you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are agreeing on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.

These Terms, together with our Privacy Policy, any applicable Data Processing Agreement ("DPA"), and any Order Form executed between the parties, constitute the entire agreement between you and SCUTO SRL ("Scuto," "we," "us," or "our") governing your use of the Services.

If you do not agree to these Terms, you may not access or use the Services.

2. Definitions

"Authorized Users" means individuals permitted to access Customer's account, subject to the seat limits of Customer's Subscription Plan.

"Customer Data" means all data, configurations, credentials, scan targets, and materials that Customer provides to or through the Services.

"Scan Results" means vulnerability findings, reports, severity ratings, evidence artifacts, compliance mappings, and all output generated from scanning Customer's Targets.

"Target" means a web application, API endpoint, cloud account, source code repository, device, domain, or network that Customer configures for scanning within the Platform.

"Subscription Plan" means the tier of service selected by Customer, as described in an Order Form or as otherwise agreed between the parties.

"Order Form" means a signed document specifying custom pricing, plan details, or terms applicable to Enterprise customers.

"Documentation" means the user guides, API documentation, and knowledge base articles published by Scuto.

"Confidential Information" means all non-public information disclosed by either party, including but not limited to Scan Results, vulnerability data, source code, business plans, pricing terms, and technical architecture.

3. Description of Services

Scuto provides an all-in-one cybersecurity platform that includes:

  • Automated vulnerability scanning with 16+ specialized scanners mapped to OWASP categories
  • AI-powered intelligent crawling engine for web applications and APIs
  • Cloud infrastructure security assessment for AWS, Azure, GCP, Kubernetes, Microsoft 365, and GitHub
  • EDR/XDR endpoint detection and response
  • Device management and endpoint compliance
  • Container and image scanning
  • Code and secrets scanning for source repositories
  • Domain and network security monitoring
  • Identity and access governance
  • Compliance mapping and reporting for ISO 27001, SOC 2, GDPR, HIPAA, PCI DSS, NIST 800-53, NIST CSF, CIS Benchmarks, and related frameworks
  • Video recording and evidence capture during scans

The Services are available as a cloud-hosted SaaS platform or as a self-hosted deployment within your own infrastructure. Features available to Customer depend on the selected Subscription Plan and deployment model. Scuto reserves the right to modify, improve, or discontinue specific features with reasonable notice.

Important: The Services are tools to assist Customer's security program. They are not a guarantee of security, a substitute for professional penetration testing or security consulting, or a certification of compliance with any regulatory framework.

4. Authorization and Scope of Testing

4.1 Authorization Requirement

Customer represents and warrants that it owns or has obtained explicit, written authorization from the rightful owner to scan every Target configured in the Platform. Customer must be able to produce proof of authorization upon Scuto's request. Scuto reserves the right to require a signed Authorization to Test form before enabling scans on any Target.

4.2 Scope Limitations

Scans are limited to Targets explicitly configured by Customer. Customer is solely responsible for ensuring scan scope does not extend beyond authorized systems. Customer must configure appropriate exclusion rules for any systems, endpoints, or IP ranges that should not be tested.

4.3 Target Verification

Scuto may implement domain ownership verification (DNS TXT records, file-based verification, or similar methods) before allowing scans to proceed. Customer must complete verification for all Targets before scanning commences.

4.4 Compliance with Laws

Customer represents that all testing conducted through Scuto complies with applicable local, state, national, and international laws, including but not limited to the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, and equivalent legislation in Customer's jurisdiction. Customer acknowledges that unauthorized security testing may constitute a criminal offense.

4.5 Cloud Provider Terms

When scanning cloud infrastructure (AWS, Azure, GCP), Customer must comply with each cloud provider's penetration testing policies and notification requirements. Scuto is not responsible for any violations of cloud provider terms resulting from Customer's use of the Services.

4.6 No Offensive Use

Scan Results, vulnerability data, and any exploits demonstrated by the Platform may only be used for defensive security purposes. Customer shall not use the Services or any output to exploit, attack, or cause harm to any system, whether or not the system is owned by Customer.

4.7 Impact Acknowledgment

Customer acknowledges that automated vulnerability scanning may cause service disruptions, performance degradation, triggering of security alerts (WAF, IDS, SIEM), or in rare cases, data corruption on Target systems. Scuto shall not be liable for any adverse effects on Customer's or third-party systems resulting from authorized scanning activity.

5. Account Registration and Security

Customer must provide accurate and complete registration information. Customer is responsible for maintaining the confidentiality of account credentials, including passwords and API keys, and for all activities that occur under their account.

Customer must immediately notify Scuto of any unauthorized access or security breach affecting their account. Scuto is not liable for any loss or damage arising from unauthorized use of Customer's credentials. We strongly recommend enabling multi-factor authentication on all accounts.

Customer designates one or more Account Owners with full administrative control, including the ability to manage members, workspaces, and billing. Account sharing across organizations is prohibited.

6. Subscription Plans, Fees, and Billing

6.1 Plans and Pricing

The Services are offered under various Subscription Plans. Current pricing, features, and limits are available upon request. Enterprise plans may be subject to custom terms specified in an Order Form.

6.2 Billing Cycle and Payment

Paid plans are billed monthly or annually. All payments are processed securely through Stripe. Enterprise customers may pay by wire transfer. Customer is responsible for all applicable taxes, including VAT, GST, sales tax, and withholding taxes.

6.3 Plan Changes

Upgrades take effect immediately with prorated charges for the current billing period. Downgrades take effect at the end of the current billing period, with credit applied to the next cycle. Downgrading may result in loss of access to features and data that exceed the lower plan's retention limits.

6.4 Usage Limits

When Customer reaches their monthly scan limit, scanning is paused until the next billing cycle or until Customer upgrades their plan. Customer will receive notifications as they approach their limit. We do not charge overage fees.

6.5 Price Changes

Scuto may modify pricing with at least 30 days advance notice (60 days for annual plans). Existing subscribers will be grandfathered at their current price through the end of their current billing period.

6.6 Refunds

Refund policies are determined by the applicable Subscription Plan or Order Form. Enterprise contracts are governed by their respective Order Forms.

6.7 Late Payment

If payment fails, we will attempt to process it again and notify Customer. If payment remains unresolved after 14 days, Scuto may suspend access to the Services. Customer remains liable for all fees during any suspension period. Overdue amounts may accrue interest at the rate of 1.5% per month or the maximum rate permitted by law, whichever is less.

8. Acceptable Use Policy

8.1 Permitted Uses

Customer may use the Services for legitimate security testing, vulnerability assessment, compliance evaluation, and security monitoring of authorized Targets. Customer may generate and export reports for internal security programs, auditor review, and client deliverables.

8.2 Prohibited Uses

Customer shall not:

  • Scan systems without proper authorization from the system owner
  • Use the Services to conduct denial-of-service attacks, stress testing, or any destructive testing beyond the defined scanning scope
  • Reverse engineer, decompile, disassemble, or attempt to derive the source code of the Platform
  • Circumvent usage limits, quotas, rate limits, or access controls
  • Share account credentials or allow unauthorized users to access the Services
  • Use Scan Results to exploit vulnerabilities in any system for malicious purposes
  • Resell, sublicense, or redistribute the Services without Scuto's prior written consent
  • Use the Services for competitive analysis or to build a competing product
  • Upload malicious code to the Platform or attempt to compromise Scuto's infrastructure
  • Use the Services in violation of any applicable export control, sanctions, or other laws

8.3 Fair Use and Rate Limiting

Scuto reserves the right to throttle or temporarily suspend scans that cause excessive load on our infrastructure or on Target systems. Enterprise plans with unlimited features are subject to fair use consistent with normal business operations.

8.4 Consequences of Violation

Violations of this Acceptable Use Policy may result in a warning, suspension, or immediate termination of Customer's account at Scuto's sole discretion. No refund will be issued for accounts terminated due to AUP violations. Customer remains liable for any damages caused by prohibited use.

9. Customer Data and Content

Customer retains all ownership rights in Customer Data, Scan Results, and Customer Content. Customer grants Scuto a limited, non-exclusive license to process Customer Data solely for the purpose of providing the Services.

Scuto will not access Customer Data except as necessary to provide the Services, respond to support requests, prevent fraud or abuse, or comply with applicable law. Customer is responsible for the legality, accuracy, and completeness of all Customer Data and Content.

Scuto may aggregate and anonymize Customer Data (stripped of all identifying information) for purposes of improving the Services, developing threat intelligence, benchmarking, and research. Scuto owns all aggregated and anonymized data. Individual Scan Results are never shared with other customers or third parties.

10. Data Processing and Privacy

Scuto processes personal data in accordance with our Privacy Policy and in compliance with the GDPR, CCPA/CPRA, and other applicable data protection laws.

For customers subject to the GDPR: when Scuto processes personal data contained in Customer Data on Customer's behalf, Scuto acts as a Data Processor and Customer acts as the Data Controller. The terms of our Data Processing Agreement (DPA), which incorporates Standard Contractual Clauses for international transfers, govern this processing relationship.

Enterprise customers may request a custom DPA. To obtain our standard DPA, contact legal@scuto.ai.

11. Data Security

Scuto implements and maintains appropriate technical and organizational security measures to protect Customer Data, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Per-organization data isolation at the database level
  • Role-based access controls with principle of least privilege for all personnel
  • Multi-factor authentication for internal systems
  • Regular penetration testing and security audits of our own infrastructure
  • 24/7 monitoring with automated anomaly detection

In the event of a security incident affecting Customer Data, Scuto will notify affected customers without unreasonable delay and within 72 hours as required by applicable law. For more details, see our Security page.

Self-Hosted Data Security

For self-hosted deployments, Customer is responsible for all infrastructure security measures, including encryption, network security, access controls, patching, and monitoring. Scuto provides hardened deployment artifacts, security configuration guides, and ongoing security advisories but has no access to Customer's environment or data.

12. Data Retention and Deletion

Scan Results and Customer Data are retained in accordance with the Customer's Subscription Plan:

Data retention periods vary by Subscription Plan and are specified in the applicable Order Form. Enterprise customers may negotiate custom retention terms.

Upon account termination, Customer has 30 days to export their data in PDF, CSV, or JSON format via the Platform or API. After the export period, Scuto will permanently delete Customer Data in accordance with our Privacy Policy. Customer may request early deletion at any time by contacting support.

Self-hosted deployments: For self-hosted deployments, data retention is entirely under Customer's control. Scuto has no access to Customer's data and cannot delete or modify it.

13. Confidentiality

Each party agrees to protect the other party's Confidential Information with at least the same degree of care it uses to protect its own confidential information, but no less than reasonable care. Confidential Information may be used only for the purposes of this Agreement and disclosed only to employees, contractors, and agents who have a need to know and are bound by confidentiality obligations at least as protective as these Terms.

Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was known to the receiving party prior to disclosure; (c) is independently developed without reference to the disclosing party's Confidential Information; or (d) is rightfully received from a third party without restriction.

A party may disclose Confidential Information if compelled by law, regulation, or court order, provided that it gives the other party prompt notice (where legally permitted) and cooperates in any effort to obtain protective treatment.

Scan Results and vulnerability data are treated as Customer's Confidential Information. Scuto will not disclose Customer's vulnerability data to any third party except as required by law or with Customer's explicit consent.

Confidentiality obligations survive for 5 years after disclosure, or indefinitely for trade secrets.

14. Intellectual Property

14.1 Scuto's Intellectual Property

The Platform, including all software, algorithms, scanner logic, AI/ML models, user interfaces, documentation, trade names, and trademarks, is and remains the exclusive property of Scuto and its licensors. No rights are granted to Customer except the limited license to use the Services during the subscription term as described herein.

14.2 Customer's Intellectual Property

Customer retains all rights in Customer Data, Customer Content, Scan Results, scan configurations, and custom report templates. Customer retains all rights in its own applications, systems, and code that are the subject of scanning.

14.3 Feedback

If Customer provides feedback, suggestions, or ideas regarding the Services, Scuto may freely use such feedback without obligation to Customer.

15. Service Level Agreement

15.1 Uptime Commitment

Scuto targets 99.9% uptime for paid Subscription Plans, measured on a monthly basis. Specific uptime commitments may vary by plan and are specified in the applicable Order Form. "Downtime" means the Platform is materially unavailable, excluding scheduled maintenance, Customer-caused issues, force majeure events, and third-party service outages.

15.2 Scheduled Maintenance

Scuto will provide at least 48 hours advance notice of scheduled maintenance. We will endeavor to schedule maintenance during low-usage periods and minimize disruption.

15.3 Service Credits

If monthly uptime falls below the committed level, Customer may request service credits as specified in the applicable Order Form. Credits are applied to future invoices. Credit requests must be submitted within 30 days of the downtime event. Service credits are Customer's sole and exclusive remedy for Scuto's failure to meet uptime commitments.

15.4 Support Response Times

Support channels and response times vary by Subscription Plan. Enterprise customers may negotiate dedicated support terms in their Order Form.

Self-hosted deployments: The SLA uptime commitment applies to Scuto's SaaS platform only. For self-hosted deployments, uptime and availability are Customer's responsibility. Scuto provides support per the agreed support channels and response times for troubleshooting and guidance.

16. Third-Party Services and Integrations

The Services integrate with third-party services including cloud providers (AWS, Azure, GCP), source code platforms (GitHub), payment processors (Stripe), and others. Customer's use of these integrations is subject to the respective third party's terms and policies. Scuto is not responsible for the availability, accuracy, or security of third-party services.

Customer is responsible for maintaining valid credentials and permissions for all connected integrations. If a third-party service changes or discontinues its API, Scuto may modify or remove the corresponding integration with reasonable notice.

17. Warranties and Disclaimers

17.1 Scuto's Warranties

Scuto warrants that: (a) the Services will perform materially in accordance with the Documentation; (b) the Services will be provided with reasonable skill and care; and (c) Scuto will comply with all applicable laws in providing the Services.

17.2 Security Tool Disclaimers

No guarantee of complete detection: Scuto does not guarantee that all vulnerabilities will be detected. Automated scanning has inherent limitations. The absence of findings does not mean a Target is secure.

No guarantee of compliance: Compliance mapping features assist with preparation but do not constitute legal advice, certification, or attestation of compliance with any regulatory framework.

No guarantee against breaches: Use of the Services does not guarantee that Customer will not experience a security incident.

17.3 General Disclaimer

Except as expressly set forth herein, the Services are provided "as is" and "as available." Scuto disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, non-infringement, and accuracy. No oral or written information from Scuto shall create a warranty not expressly stated in these Terms.

18. Limitation of Liability

18.1 Exclusion of Consequential Damages

To the maximum extent permitted by law, neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, data, business opportunities, or goodwill, regardless of the theory of liability (contract, tort, negligence, strict liability, or otherwise).

18.2 Cap on Liability

Scuto's total aggregate liability arising out of or related to these Terms shall not exceed the fees paid by Customer in the 12 months preceding the claim. Enterprise customers may negotiate different liability caps in their Order Form.

18.3 Exceptions

The limitations in Sections 18.1 and 18.2 do not apply to: (a) breaches of confidentiality obligations; (b) intellectual property indemnification obligations; (c) Customer's breach of the Authorization and Scope of Testing provisions; (d) Customer's breach of the Acceptable Use Policy; (e) either party's willful misconduct or gross negligence; or (f) Customer's payment obligations.

18.4 Jurisdictional Limits

Some jurisdictions do not allow the exclusion or limitation of certain damages. In such jurisdictions, Scuto's liability is limited to the maximum extent permitted by applicable law.

19. Indemnification

19.1 Scuto's Indemnification

Scuto will defend, indemnify, and hold harmless Customer from third-party claims alleging that Customer's authorized use of the Services infringes a third party's intellectual property rights. Scuto's remedies include: modifying the Service, obtaining a license, or if neither is commercially reasonable, terminating the affected Service and refunding prepaid fees for the unused portion. This indemnity does not apply to claims arising from Customer's modifications, combination with non-Scuto products, or use beyond the scope of these Terms.

19.2 Customer's Indemnification

Customer will defend, indemnify, and hold harmless Scuto from third-party claims arising from: (a) Customer's breach of the Authorization to Test provisions; (b) Customer Data or Customer Content, including claims of infringement; (c) Customer's violation of applicable law; (d) Customer's breach of the Acceptable Use Policy; or (e) claims by any third party whose systems were scanned without proper authorization.

19.3 Indemnification Procedure

The indemnified party must provide prompt written notice, grant sole control of the defense to the indemnifying party, and provide reasonable cooperation. The indemnifying party may not settle any claim in a manner that imposes obligations on the indemnified party without written consent.

20. Term and Termination

20.1 Term

Subscription Plans auto-renew for successive periods (monthly or annual) unless cancelled before the renewal date. Enterprise terms are specified in the applicable Order Form.

20.2 Cancellation by Customer

Customer may cancel their Subscription Plan at any time through account settings or by contacting support. Cancellation takes effect at the end of the current billing period. No refunds are issued for the remaining portion of the billing period unless otherwise specified in the applicable Order Form.

20.3 Termination by Scuto

Scuto may terminate for cause if Customer commits a material breach that is not cured within 30 days of written notice. Scuto may immediately terminate or suspend Customer's account for: AUP violations, unauthorized scanning, illegal activity, or non-payment exceeding the grace period. Scuto may discontinue any Subscription Plan with 90 days advance notice.

20.4 Effect of Termination

Upon termination: (a) all licenses and rights to use the Services cease immediately; (b) Customer has 30 days to export their data; (c) after the export period, Scuto will delete Customer Data per the retention policy; and (d) all accrued payment obligations survive. The following sections survive termination: Definitions, Confidentiality, Intellectual Property, Limitation of Liability, Indemnification, Governing Law, and any accrued rights or obligations.

21. Export Controls

The Services may be subject to EU export control regulations, applicable national export control laws, and international sanctions programs. Customer shall not directly or indirectly export, re-export, or provide the Services to any country, territory, entity, or individual prohibited by applicable export control or sanctions laws. Customer represents that it is not located in, or a national or resident of, any embargoed country and is not on any restricted party list.

22. Modifications to Terms

Scuto reserves the right to modify these Terms. For material changes, we will provide at least 30 days advance notice via email or in-Platform notification. Continued use of the Services after the notice period constitutes acceptance. If Customer does not agree with the modified Terms, Customer must cancel their account before the changes take effect. Non-material changes (corrections, clarifications) may be made without notice. Enterprise customers with negotiated terms are governed by their Order Form.

23. Governing Law and Dispute Resolution

23.1 Governing Law

These Terms are governed by the laws of Romania and, where applicable, the laws of the European Union, without regard to conflict of law principles.

23.2 Dispute Resolution

Any dispute arising out of or relating to these Terms that cannot be resolved through good-faith negotiation within 30 days shall be submitted to the exclusive jurisdiction of the competent courts in Bucharest, Romania. Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or Confidential Information.

24. General Provisions

Entire Agreement. These Terms, together with the Privacy Policy, any DPA, and any applicable Order Forms, constitute the entire agreement between the parties and supersede all prior agreements, proposals, and representations.

Severability. If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions remain in full force and effect.

Waiver. The failure of either party to enforce any right or provision of these Terms does not constitute a waiver of that right or provision.

Assignment. Customer may not assign these Terms without Scuto's prior written consent. Scuto may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets, with notice to Customer.

Force Majeure. Neither party is liable for failure to perform obligations due to causes beyond its reasonable control, including natural disasters, wars, pandemics, government actions, internet outages, cyberattacks on infrastructure, or failures of third-party service providers.

Notices. Legal notices must be sent to the email address associated with Customer's account (for Customer) or to legal@scuto.ai (for Scuto).

Independent Contractors. The parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, or employer-employee relationship.

No Third-Party Beneficiaries. These Terms do not confer any rights or remedies upon any person or entity other than the parties.

25. Self-Hosted Deployment Terms

This section applies to Customers who deploy the Scuto platform within their own infrastructure ("Self-Hosted Deployment"). These terms supplement the general Terms above.

25.1 Customer Responsibility for Infrastructure

Customer is solely responsible for provisioning, configuring, securing, and maintaining the infrastructure on which the Scuto platform operates. This includes compute resources, storage, networking, operating systems, container runtimes, databases, backup systems, and all related infrastructure components.

25.2 No Scuto Access

Scuto has zero access to Customer's self-hosted environment, data, configurations, scan results, or credentials. All data processing occurs entirely within Customer's infrastructure. Scuto does not receive telemetry, usage data, or any other information from self-hosted deployments unless Customer explicitly provides it through support channels.

25.3 Updates and Patches

Scuto provides offline update bundles (container images, Helm charts, migration scripts) for self-hosted deployments. Customer is responsible for applying updates on their own schedule. Scuto recommends applying security patches within 30 days of release. Support for outdated versions may be limited to the two most recent major releases.

25.4 Support Model

Support for self-hosted deployments is provided per the Customer's Subscription Plan support tier. Support covers platform software issues, configuration guidance, upgrade assistance, and troubleshooting. Infrastructure issues (hardware failures, network configuration, OS-level problems) are Customer's responsibility. Scuto may request anonymized logs or configuration details to assist with troubleshooting, provided at Customer's discretion.

25.5 License Scope

The self-hosted license grants Customer the right to deploy and operate the Scuto platform within Customer's infrastructure for the duration of the subscription term. Customer may not redistribute, sublicense, modify, or reverse engineer the platform software. The license is limited to the number of seats and scanning scope specified in Customer's Subscription Plan or Order Form.

26. Contact Information

For questions about these Terms, contact us at:

Legal inquiries: legal@scuto.ai

Billing and subscription: support@scuto.ai

Privacy and data protection: privacy@scuto.ai

Security concerns: security@scuto.ai