Terms and Conditions

These Terms and Conditions (the "Terms") are a legal agreement between you (or the organisation you represent — the "Customer", "you") and Incus Technologies Limited (trading as "Incustech" and operating the Astrari service — "we", "us", "our"):

By creating an account, installing the Astrari agent, or otherwise using the Service you confirm that you have read, understood, and agree to be bound by these Terms. If you do not agree, you must not use the Service.

• Service — the Astrari security monitoring platform, including the dashboard at astrari.io, the agent binary, related APIs, and any associated documentation.
• Agent — the Astrari software you install on a Linux server to perform local security scanning.
• Asset — a server, website or other system you add to your Astrari account for monitoring.
• Findings — security observations, vulnerabilities, configuration issues or alerts produced by the Service.
• Plan — the subscription tier you choose (Starter, Basic, Professional, Agency).
• Account — your Astrari organisation account, including all users, sites, servers, clients and findings under it.

You must be at least 18 years old and able to enter into a binding contract under the laws applicable to you. You must provide accurate and current information when creating an account and keep that information up to date.

You are responsible for safeguarding your account credentials and any activity that occurs under your account. Notify us immediately at [email protected] if you suspect any unauthorised use.

This is the most important section. Read it carefully.

By adding any Asset to the Service, you warrant and represent that:

• You own that Asset, or you have explicit, documented authorisation from its owner to permit security scanning by Astrari on their behalf.
• You are not adding the Asset to perform reconnaissance against systems you do not own or have permission to scan.
• You will not use the Service to scan, probe, or test any system without lawful authority to do so.

You acknowledge that running security scans against systems without authorisation may be unlawful in your jurisdiction (for example, under the Computer Misuse Act 1990 in the United Kingdom). We rely on your warranty above and accept no responsibility for your use of the Service against systems you are not authorised to scan. You agree to indemnify and hold us harmless from any claim arising from such use.

The Service performs a combination of agent-based scanning on Linux servers (Trivy CVE scanning, ClamAV, rkhunter, MalDet and other tools) and external scanning of websites (HTTP probes, SSL checks, security header checks, blacklist lookups, WordPress plugin/theme/CVE matching and similar). It surfaces Findings in your dashboard and, where you choose, dispatches alerts via email, Slack, Microsoft Teams, PagerDuty or webhook.

The Service is provided on a subscription basis under your chosen Plan. Plan limits (number of monitored sites, servers, scan frequency, data retention) are described on our pricing page and in your dashboard.

We may add, modify or remove features at any time. We will give reasonable notice for material changes that adversely affect existing Plans.

The Service supplements — it does not replace — your own security and operational practices. In particular, you remain responsible for:

• Backups. Maintaining current, tested backups of your servers, websites, databases and configurations. We do not back up your systems and we do not assume responsibility for data loss.
• Patching and remediation. Reviewing Findings and applying fixes (whether through our auto-fix features or manually). The agent reports issues; you decide what to do about them.
• Agent installation. The agent must run with elevated privileges (root) to perform its scans. You are responsible for installing the agent only on systems you control, and for the consequences of doing so.
• Account access. Limiting access to your Astrari account, rotating credentials, removing former staff promptly, and using strong passwords.
• Compliance. Complying with all laws and regulations applicable to you, including data protection law (UK GDPR / EU GDPR / equivalent), in your use of the Service and in handling Findings that may contain sensitive information.
• Third-party authorisation. If you add Assets belonging to your clients, you are responsible for obtaining their authorisation and for processing any personal data accordingly.
• Auto-fix consequences. Some Astrari features (SSH hardening, .htaccess fixes, package updates) modify configuration on your servers. You are responsible for reviewing previews, understanding the changes, and ensuring you have a way to recover if a change has unintended consequences.

Each new paid Plan includes a 14-day free trial. No payment card is required to start the trial. During the trial you have full access to the features of your chosen Plan.

At the end of the trial, if you have not subscribed, your account is moved to read-only mode: you can still view your existing data and dashboard, but mutating actions (creating new scans, adding new Assets, changing alert configuration) are disabled until you choose a Plan or remain on the free Starter tier where applicable.

Paid subscriptions are processed by Stripe. You may pay in GBP, EUR or USD on a monthly or annual basis. Annual plans receive a 20% discount versus the monthly rate.

Subscriptions renew automatically at the end of each billing period unless cancelled. You may cancel at any time from your dashboard via the "Manage in Stripe" link.

Monthly subscriptions remain active until the end of the current period when cancelled. Annual subscriptions are non-refundable after the 14-day trial period but can be cancelled to prevent renewal. We do not provide pro-rata refunds for partial months or unused features unless required by law.

If your payment fails, we may suspend access to the Service after reasonable notice. If a payment dispute is initiated by you in error, you authorise us to recover the disputed amount and any associated fees.

If you change your Plan to a smaller tier, any Assets exceeding the new Plan's limits will be automatically disabled (newest first). Disabled Assets retain all their data but stop scanning until you upgrade or remove other Assets to free up slots. We notify you by email when this happens.

We may change pricing for the Service. We will give at least 30 days' notice by email of any price increase that affects your current subscription. If you do not accept the new price you may cancel before the change takes effect.

We aim for high availability but do not provide a contractual uptime guarantee at this time. We use commercially reasonable efforts to keep the Service running and to perform scheduled maintenance with advance notice where possible.

The Service depends on your servers' ability to reach our API. Network outages on your side, firewall configuration changes, or your servers being offline will prevent the agent from checking in and may cause scans, alerts or fixes to fail or be delayed.

You must not, and you must not permit any person to:

• Use the Service to scan, probe, attack or test any system without explicit authorisation from the owner of that system;
• Reverse-engineer, decompile or attempt to extract source code from the agent, except to the extent permitted by mandatory law;
• Resell or rebrand the Service to third parties without an Agency plan or other written agreement with us;
• Interfere with the Service's operation, attempt to bypass rate limits or authentication, or use the Service to send unsolicited communications;
• Use the Service in violation of any applicable law (including export control, sanctions, or data protection law).

We may suspend or terminate accounts that violate this section, in our reasonable discretion and with or without notice.

In providing the Service we process information about your Assets — for example, the hostnames of monitored servers, listening ports, installed package names and versions, log excerpts produced by forensic diagnostics, and the URLs of monitored websites. Some of this data may include personal data (for example, email addresses you configure as alert contacts, or user account names captured by SSH-hardening scans).

For the purposes of UK GDPR and EU GDPR you are the controller of personal data you submit to or generate via the Service, and we act as your processor in respect of that data. A separate data processing addendum is available on request.

We do not sell your data. We process it solely to provide the Service to you. Personal data is retained for the duration of your subscription plus the data retention period specified by your Plan, after which it is deleted on a rolling basis unless retention is required by law.

Our handling of personal data is described in more detail in our Privacy Policy.

We take the security of the Service seriously. Agent updates are cryptographically signed (Ed25519) and the agent verifies signatures before applying any update. The agent never installs OS packages or modifies system configuration without explicit user action via the dashboard, and the install script asks for confirmation before performing any system package operations.

If you discover a security vulnerability in the Service, please report it confidentially to [email protected]. We will acknowledge your report and work in good faith to remediate.

You are responsible for the security of any system on which you install the agent. The agent runs with elevated privileges (root) — please install only on systems you control.

The Service uses and integrates with a number of third-party tools and data sources, including but not limited to:

• Trivy (Aqua Security), ClamAV, rkhunter, Linux Malware Detect (rfxn.com)
• The Wordfence Intelligence vulnerability database
• The MITRE Corporation CVE programme
• Stripe (payment processing)
• Resend (transactional email)

Each of these is governed by its own terms and licences. We do not warrant their accuracy, completeness or fitness for any purpose. WordPress vulnerability data is provided by Wordfence Intelligence under a free commercial-use licence; the MITRE CVE attribution is preserved on each affected Finding as required by their licence terms.

We retain all right, title and interest in the Service, including the dashboard, the agent, our scanning rules, our documentation and our brand. You retain all right, title and interest in your data and your Assets.

You grant us a limited, non-exclusive, non-transferable licence to access your Assets and process your data solely for the purpose of providing the Service to you. This licence ends when you terminate your account, except for any data we are required to retain by law.

Please read this section carefully — it limits the warranties we provide.

The Service is provided on an "as is" and "as available" basis. To the maximum extent permitted by law, we make no warranties of any kind, whether express, implied, statutory or otherwise, including any warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy or that the Service will be uninterrupted, secure, free of harmful components, or error-free.

In particular, you acknowledge that:

• No security tool can detect every vulnerability, malware sample, or compromise. The Service will sometimes miss issues that exist on your systems and will sometimes flag issues that turn out not to be real (false positives).
• Findings are informational. Acting on a Finding (including via auto-fix features) is your decision and your responsibility.
• Third-party scanners (Trivy, ClamAV, rkhunter, MalDet) have their own coverage limitations, and their vulnerability databases may lag behind the publication of new CVEs.
• External website scans rely on what your site returns over HTTP. Sites with WAFs, anti-bot measures or aggressive caching may produce inaccurate or incomplete results.

Please read this section carefully — it limits our liability to you.

To the maximum extent permitted by law:

• We will not be liable to you for any loss of profits, loss of revenue, loss of business, loss of goodwill, loss of reputation, loss or corruption of data, business interruption, or for any indirect, special or consequential loss whatsoever, however arising.
• Our total aggregate liability to you under or in connection with these Terms (whether in contract, tort including negligence, breach of statutory duty or otherwise) shall not exceed the total fees you have paid to us under the relevant subscription in the twelve (12) months immediately preceding the event giving rise to the liability. For accounts on the free Starter plan, our total aggregate liability shall not exceed £100.

Nothing in these Terms shall limit or exclude our liability for: (a) death or personal injury caused by our negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability which cannot be limited or excluded by applicable law.

You agree to indemnify and hold us harmless from and against any and all claims, damages, losses, costs and expenses (including reasonable legal fees) arising out of or relating to: (a) your breach of these Terms; (b) your use of the Service in violation of any law; (c) your scanning of any system without authorisation; or (d) any claim by a third party related to the Assets you have added to the Service.

You may terminate these Terms at any time by cancelling your subscription and deleting your account. We may terminate these Terms (or suspend your access) immediately if you breach these Terms in a material way, or on 30 days' written notice for any reason.

On termination: (a) your right to use the Service ceases; (b) we will delete your data in accordance with our retention schedule, save where we are required to retain it by law; (c) sections of these Terms that by their nature should survive termination (including disclaimers, limitations of liability, indemnity, governing law) will survive.

Each party agrees to keep confidential any non-public information disclosed by the other party in connection with the Service. This obligation does not apply to information that is already public, becomes public through no fault of the receiving party, or is required to be disclosed by law.

Neither party will be liable for any failure or delay in performance caused by circumstances beyond its reasonable control, including but not limited to acts of God, war, civil unrest, terrorism, pandemic, government action, internet or telecommunications failure, or denial-of-service attack.

We may update these Terms from time to time. If a change materially affects your rights or obligations, we will give you at least 30 days' notice by email or through the dashboard. Continued use of the Service after the effective date of an updated version constitutes acceptance of the new Terms.

Material changes will not apply retroactively. The version and effective date appear at the top of this page.

These Terms (together with any applicable Plan terms, the Privacy Policy, and any data processing addendum) constitute the entire agreement between you and us regarding the Service, and supersede any prior agreements.

If any provision is held unenforceable, the remaining provisions remain in full force. Our failure to enforce a right is not a waiver of that right.

You may not assign these Terms without our prior written consent. We may assign these Terms to a successor in connection with a merger, acquisition or sale of assets.

These Terms do not create any agency, partnership, or joint-venture relationship.

These Terms and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.

The courts of England and Wales shall have exclusive jurisdiction to settle any such dispute or claim.

If you have any questions about these Terms or the Service, contact us at:

Incus Technologies Limited
Castle House, Castle Street, Guildford, Surrey, England, GU1 3UW
Company number 09253791 (registered in England and Wales)
Email: [email protected]
Web: incustech.app