Apply to be a part of our pre-launch program and get early access to Vexera.
VexeraVexera
PlatformPricingComplianceFAQBlog
Request an assessment
VexeraVexera
PlatformPricingComplianceFAQBlog
Request an assessment

Legal

Terms of Service

Version 1.0 · Effective July 7, 2026

On this page

  1. Agreement to These Terms
  2. Definitions
  3. Other Agreements and Precedence
  4. Accounts and Registration
  5. Authorized Security Testing Only
  6. Safety and Emergency Stop
  7. Acceptable Use
  8. Sanctions and Export Control
  9. The Service
  10. Trials, Demos, and Beta Features
  11. Plans, Fees, and Payment
  12. Renewal, Cancellation, and Refunds
  13. Customer Data
  14. Findings and Reports
  15. Third-Party Vulnerabilities and Coordinated Disclosure
  16. Prior Compromise and Unlawful Material
  17. Intellectual Property
  18. Confidentiality
  19. Publicity
  20. Warranties and Disclaimers
  21. Availability and Maintenance
  22. Suspension
  23. Term and Termination
  24. Liability
  25. Indemnification
  26. Changes to the Service and These Terms
  27. Governing Law and Disputes
  28. Miscellaneous

Agreement to These Terms

These Terms of Service ("Terms") govern access to and use of the Vexera platform, our website at vexera.ai, and the security testing services delivered through them (together, the "Service"). The Service is provided by Vexera ApS, a Danish company registered under CVR number 46442350, with registered address at Fuglegårdsvej 36D, 2820 Gentofte, Denmark ("Vexera", "we", "us").

By creating an account, accessing the platform, or using the Service, you agree to these Terms. If you use the Service on behalf of a company or another legal entity, you represent that you are authorized to bind that entity, and "Customer" and "you" then refer to that entity.

The Service is built for businesses. It is not directed at consumers. You must be at least 18 years old and use a work email address to create an account.

Our Privacy Policy describes how we handle personal data when you use the Service and our website.

Definitions

The following terms have specific meanings in this document:

  • "Account": the credentials and identification information used to access the platform.
  • "Organization": a workspace on the platform shared by a Customer's users, with roles and permissions managed by its administrators.
  • "Plan": the subscription tier the Customer has purchased, including its scan quotas, features, and usage limits.
  • "Target": a system, application, network, or other asset designated for security testing.
  • "Scope": the written definition of the Targets that may be tested and the restrictions that apply, including the Rules of Engagement.
  • "Rules of Engagement" or "RoE": the operational rules for an engagement, such as testing windows, rate limits, excluded systems, and emergency contacts.
  • "Scan": an automated security testing engagement executed by the Service against a Scope.
  • "Findings": vulnerabilities, misconfigurations, exposures, or other risks identified by a Scan.
  • "Reports": the deliverables generated by the Service, including Findings, supporting evidence, and remediation guidance.
  • "Customer Data": data the Customer submits to the Service (such as targets, scope definitions, credentials, and source code) and the results generated for the Customer.

Terms not defined here have the meaning given in the applicable order form or signed agreement, or otherwise their ordinary commercial meaning.

Other Agreements and Precedence

If you have signed a Master Services Agreement ("MSA"), Statement of Work ("SOW"), Data Processing Agreement ("DPA"), or order form with Vexera, those documents govern the matters they cover. In case of conflict, the signed SOW or order form prevails first, then the MSA, then these Terms, except that for the processing of personal data the DPA prevails over all of them in respect of the matters it governs.

Where we process personal data on your behalf during testing, a data processing agreement meeting the requirements of GDPR Article 28 must be in place. If you have not signed a negotiated DPA, our standard DPA, available at trust.vexera.ai, governs that processing.

Accounts and Registration

You must provide accurate, current, and complete information when creating an account and keep it up to date. Accounts must be registered with a work email address, not a personal one.

We may refuse a registration, or restrict or close an account, if:

  • the information provided is false, incomplete, or misleading,
  • the account holder was previously removed from the Service for breaching these Terms,
  • the account presents a risk to the security of the Service, our customers, or others,
  • the Service is being registered for or used for a purpose prohibited by law or by these Terms.

You are responsible for activity that occurs under your account. Keep credentials confidential, do not share accounts, and enable two-factor authentication where we require it. We may require additional identity verification for sensitive actions.

Notify us immediately if you suspect your account has been compromised or is being used by someone else. We can only help contain a compromise once we know about it.

Organization administrators control membership, roles, and access within their Organization and are responsible for who they invite. Administrative and security-relevant actions are logged for audit purposes.

You may close your account at any time. The effect of closure is described in Term and Termination.

Authorized Security Testing Only

The Service performs real offensive security testing. You may only test Targets that you own, or that you have explicit, written authorization to test from the party entitled to grant it. This is the single most important rule of the Service.

By starting a Scan, you represent and warrant that you hold valid authorization covering every Target in the Scope for the entire testing window, including any authorization required by third-party hosting or infrastructure providers. Authorization must be valid under every law that applies to the Target, including the laws of the countries where it is hosted and operated.

Scopes are hard boundaries. You must not deliberately widen a Scope beyond what has been authorized. If you want to test additional Targets, update the Scope and, where relevant, the RoE first.

We may ask for evidence of authorization before or during an engagement, and we may refuse or stop any Scan where authorization is unclear. If you are not sure whether you are authorized, do not proceed.

Unauthorized access to systems, accounts, data, or networks is prohibited and may be a criminal offense under applicable law, including the Danish Criminal Code (straffeloven) and the computer crime laws of the countries where a Target is located. You bear sole responsibility for testing you initiate without valid authorization.

Safety and Emergency Stop

Security testing interacts with live systems. The Service is built to test safely, with rate limiting, scope enforcement, and isolated execution, but temporary disruption of a tested system can never be fully excluded. You are responsible for sensible precautions on your side, such as backups, monitoring, and choosing appropriate testing windows.

For testing against production systems, you must provide an emergency contact who can be reached during the testing window.

We may pause or stop any Scan at our discretion if we detect instability, a risk of harm, activity outside the Scope, or ambiguity about authorization.

Avoid making significant changes to a Target during an active testing window unless coordinated with us. Results may otherwise be incomplete or misleading.

Acceptable Use

You must not, and must not permit or help anyone else to:

  • Use the Service to test, attack, or access systems without valid authorization, or direct it against individuals.
  • Use the Service to develop, distribute, or deploy malware, ransomware, or destructive payloads.
  • Use Findings, Reports, or evidence to exploit, extort, or harm any party.
  • Interfere with or disrupt the Service, other customers, or the integrity of our infrastructure, including by probing or testing the Service itself without our prior written permission.
  • Circumvent Plan limits, quotas, safety controls, or access restrictions.
  • Share, sell, rent, sublicense, or transfer access to the Service or your account without our prior written consent.
  • Copy, modify, or create derivative works of the Service, or reverse engineer, decompile, or disassemble it, except to the extent a statutory right to do so cannot be excluded.
  • Impersonate another person or entity, or misrepresent your affiliation with one.
  • Provide information you know to be false, or upload content you have no right to provide.
  • Use the Service to build a competing product, or access it to benchmark one.

We may monitor use of the Service for safety, quota, and abuse purposes. Where monitoring reveals a violation, we may remove content, stop Scans, and suspend accounts as described in Suspension.

One exception is deliberate: good-faith security research on the Service itself, conducted in accordance with our vulnerability disclosure policy published at trust.vexera.ai, is welcome and is not a breach of these Terms.

Sanctions and Export Control

You may not access or use the Service if you are subject to sanctions adopted by the EU, the UN, or another authority with jurisdiction over the relationship, or if you are located in, or acting for, a country, entity, or person subject to such sanctions.

Security testing technology and Reports may be subject to export control rules, including the EU Dual-Use Regulation (2021/821). You are responsible for complying with the export control and sanctions rules that apply to your use of the Service and the Reports.

The Service

Vexera is an AI-driven penetration testing platform. Autonomous agents analyze your applications and infrastructure the way a human security researcher would: mapping the attack surface, probing for weaknesses, validating what they find, and writing up Findings with evidence and remediation guidance.

"AI" in these Terms means software systems that process data, reason, and act with a degree of autonomy, including large language models and machine learning systems. AI output is probabilistic by nature; what that means for results is described in Warranties and Disclaimers.

We improve the Service continuously and may add, change, or remove features. If a change materially reduces the core functionality of your Plan, we will notify you in advance where reasonably possible.

Parts of the Service rely on third-party providers, such as the AI model and infrastructure vendors listed in our Privacy Policy. We select and contract with these vendors; you do not enter into a direct relationship with them through the Service.

We may suspend a feature at any time if we determine it could cause harm, and we will restore it when the risk is resolved. We will keep you informed about the expected duration where the suspension affects your use.

Trials, Demos, and Beta Features

We may offer free trials, demos, pilots, or beta features so you can evaluate the Service. These are provided free of charge, as is, without any warranty, and we may change, limit, or discontinue them at any time without liability.

Demo and beta access is for your internal evaluation only. You may not use it to develop or research competing technology, or share access, screenshots, or other non-public materials from it with third parties.

Where a trial converts into a paid subscription, the paid period starts when the trial ends, as stated at purchase.

Plans, Fees, and Payment

The Service is sold as subscription Plans and, where offered, usage-based add-ons. The features, quotas, price, currency, and billing period of your Plan are stated at purchase or in your order form.

Payments are processed by our payment provider, Stripe. You must keep your payment details and billing information current and notify us promptly of changes. We never store full card numbers.

Prices are exclusive of VAT and other applicable taxes unless stated otherwise. You are responsible for taxes arising from your purchase, except taxes on our income.

If payment fails or is overdue, we may charge default interest in accordance with the Danish Interest Act (renteloven), and we may suspend the Service after notice until outstanding amounts are paid. Fees continue to accrue during a suspension caused by non-payment.

Use beyond your Plan, for example more scans, targets, or users than the Plan includes, requires an upgrade or our written agreement, and we may invoice for it.

Renewal, Cancellation, and Refunds

Subscriptions renew automatically for successive periods equal to the billing period, unless cancelled before the renewal date or your order form provides otherwise.

You can cancel at any time from your account or by writing to us. Cancellation takes effect at the end of the current billing period, and you keep access until then.

Fees already paid are non-refundable, except where these Terms or a signed agreement provide otherwise, where the Service was not delivered as agreed, or where mandatory law requires a refund. The Service is a business service, so statutory consumer withdrawal rights do not apply.

If you believe you are entitled to a refund, contact legal@vexera.ai with the payment details and the reason. We respond within 10 business days, and approved refunds are returned to the original payment method.

Free, promotional, and trial access is unpaid, so there is nothing to refund.

Customer Data

You own your Customer Data. Vexera does not take ownership of the code, configurations, credentials, or other data you submit, nor of the Findings and Reports generated for you.

You grant us the rights needed to operate: a limited license to host, process, transmit, and display Customer Data solely to provide, secure, maintain, and improve the Service, and as otherwise permitted by a signed agreement.

You are responsible for your Customer Data. You warrant that you have all rights and permissions needed to submit it, including for any personal data it contains, and that it does not violate the law or the rights of others. Credentials supplied for authenticated testing are stored encrypted and used only for the engagement they were provided for.

Personal data inside Customer Data is processed on your behalf under the DPA, as described in the Privacy Policy. Our AI model providers are bound by terms that prohibit training on this data, as described in the Privacy Policy.

We may use data that has been de-identified and aggregated so it can no longer be linked to you or any person, for example to tune detection quality and improve the Service. We do not sell Customer Data and we do not use your code or Findings to market to others.

Source code fetched for a Scan is deleted when the Scan completes. Remaining Customer Data is deleted or anonymized after account termination, as set out in the Privacy Policy and DPA.

Findings and Reports

Reports are produced for the Customer named in the engagement. You may use them internally for security purposes, share them with professional advisers, auditors, and regulators under confidentiality, and share them with customers or partners under a non-disclosure agreement as part of security due diligence.

Public disclosure of Report contents, including publishing extracts or using them in marketing, requires our prior written consent, except where disclosure is required by law.

Findings reflect the state of the tested Targets during the testing window and within the agreed Scope. Systems change; a clean Report is a snapshot, not a certification, and does not mean a system is free of vulnerabilities.

Remediation is your responsibility. We recommend addressing Findings promptly, starting with the highest severity.

Third-Party Vulnerabilities and Coordinated Disclosure

A Scan may identify a previously unknown vulnerability in third-party software or services present on a Target, such as a commercial product, an open-source component, or an underlying platform, that affects more than just your configuration of it.

Where that happens, we may report the vulnerability to the affected vendor or maintainer under a coordinated disclosure process. We will notify you before making such a report, and the report will not identify you, your systems, or your data without your prior written consent.

You are free to report the vulnerability to the vendor yourself; we ask that you coordinate with us first so the two disclosures do not undermine each other. Neither party will publicly disclose details of an unpatched third-party vulnerability other than in line with accepted coordinated disclosure practice.

Prior Compromise and Unlawful Material

A Scan may uncover evidence that a Target has already been compromised by someone else, for example web shells, unfamiliar backdoors, or signs of active intrusion. If we identify such evidence, we notify your emergency contact or account administrators without undue delay and preserve the relevant evidence where feasible. Deciding how to respond, including whether to engage incident response, notify authorities, or inform affected individuals, remains your responsibility.

If the Service encounters material that is unlawful to possess or distribute, or clear evidence of serious crime, we may report it to the competent authorities where we are legally required or entitled to do so, and we may remove the material from our systems. We will inform you of such a report where the law permits.

Intellectual Property

The Service, including its software, agents, models, workflows, prompts, templates, designs, and documentation, is owned by Vexera or its licensors and is protected by intellectual property law.

We grant you a limited, non-exclusive, non-transferable license, without the right to sublicense, to access and use the Service for your internal business purposes during your subscription, in accordance with these Terms and your Plan.

No rights are granted beyond that license. You may not remove proprietary notices, and you may not use our name, logo, or trademarks except as allowed under Publicity.

If you send us feedback or suggestions, we may use them without restriction or obligation to you. This does not give us any rights to your Customer Data.

Confidentiality

Each party may receive non-public information from the other in connection with the Service ("Confidential Information"). Reports, Findings, and Scope details are your Confidential Information. Our technology, security methods, pricing, and non-public product information are ours.

Each party must protect the other's Confidential Information with at least reasonable care, use it only to perform under these Terms, and not disclose it to third parties except to employees and advisers who need it and are bound by confidentiality obligations.

These obligations do not apply to information that is or becomes public through no fault of the receiving party, was already lawfully known to it, was independently developed, or must be disclosed by law or court order. In the case of compelled disclosure, the receiving party will notify the other in advance where legally permitted.

Confidentiality obligations survive termination for 5 years, and for trade secrets for as long as they remain trade secrets. A separate signed NDA prevails over this section.

Publicity

With your prior consent, for example given in the order form, we may identify you by name and logo as a Vexera customer on our website and in marketing materials. We will follow your brand guidelines if you share them, and if you withdraw the permission, we will stop such use within a reasonable period.

Beyond name and logo, neither party will publicize details of the relationship, including Findings or the contents of Reports, without the other's prior written consent, except as required by law or a regulator.

Warranties and Disclaimers

We warrant that we provide the Service with reasonable skill and care. Beyond that, and to the extent permitted by Danish law, the Service is provided as is and as available, and we give no other warranties or guarantees of any kind, whether express or implied.

No security testing finds everything. We do not warrant that the Service will identify every vulnerability, that Findings are free of false positives, that the Service will be uninterrupted or error-free, or that use of the Service makes a system secure or compliant with any standard.

AI-generated analysis can be wrong. Findings include evidence precisely so your team can verify them. Review Reports before acting on them, especially before making destructive changes.

We are not responsible for third-party websites, tools, or services linked or referenced in the Service or in Reports. Their own terms and policies apply.

Availability and Maintenance

We aim to keep the Service available around the clock, but we do not promise uninterrupted operation unless a separate service level agreement has been signed.

The Service may be temporarily unavailable due to maintenance, upgrades, failures of third-party infrastructure or connectivity, attacks that occur despite our safeguards, legal or regulatory orders, or other events outside our reasonable control. For planned maintenance we give reasonable advance notice; for unplanned interruptions we inform you afterwards where relevant.

Suspension

We may suspend your access to the Service, in whole or in part, if we reasonably believe that:

  • your use is unauthorized or unlawful,
  • a Scan is operating outside its Scope or RoE,
  • your account is compromised,
  • your use threatens the security or integrity of the Service, our customers, or others,
  • payment is overdue after notice,
  • suspension is required by law or by an authority.

Where practical, we will tell you the reason for the suspension and what is needed to lift it, and we will restore access promptly once the cause is resolved. You may object to a suspension by contacting us, and we will review it in good faith.

A suspension for cause does not pause your payment obligations.

Term and Termination

These Terms apply from the moment you accept them and remain in force while you use the Service.

You may terminate at any time by cancelling your subscription and closing your account. We may terminate for material breach that remains uncured 30 days after written notice, and with immediate effect in cases of unauthorized testing, unlawful use, or a serious risk to the security of the Service or others.

We may also terminate these Terms, or retire a Plan, for convenience with at least 90 days' written notice. If we do, we will refund the prepaid fees covering the period after the termination date on a pro rata basis.

On termination, your access ends and accrued fees remain payable. Your data is deleted or anonymized as described in the Privacy Policy and DPA, so export your Reports before your subscription ends.

Provisions that by their nature should survive termination do survive, including those on Customer Data warranties, Confidentiality, Intellectual Property, Warranties and Disclaimers, Liability, Indemnification, and Governing Law and Disputes.

Liability

Neither party is liable for indirect or consequential losses, including lost profits, lost revenue, loss of goodwill, business interruption, or loss of data, to the extent permitted by law.

Each party's total aggregate liability arising out of or relating to the Service, regardless of the legal basis, is limited to the fees the Customer paid to Vexera in the 12 months preceding the event giving rise to the claim. For services provided free of charge, our liability is excluded to the extent permitted by law, except in cases of intent or gross negligence.

These limitations do not apply in cases of intent or gross negligence, to liability for death or personal injury caused by a party's negligence, to liability under mandatory product liability rules (produktansvarsloven), to a party's indemnification obligations, to your breach of Authorized Security Testing Only, or to other liability that cannot be limited under mandatory law.

We are not liable for damage caused by your breach of these Terms, by inaccurate Scope or Target information you provided, by changes you made to Targets during a testing window, by your failure to act on Findings we reported, or by failures of systems and services outside our control. Temporary disruption of tested systems of the kind that can ordinarily occur during penetration testing, despite the safeguards described in Safety and Emergency Stop, is not a breach of these Terms.

Neither party is liable for failure to perform caused by events beyond its reasonable control, such as natural disasters, war, terrorism, labor disputes, power or network failures, or acts of authorities, for as long as the event lasts.

Indemnification

You will defend and indemnify Vexera against third-party claims, and the resulting damages, fines, and reasonable legal costs, arising from testing initiated without valid authorization, from your breach of Authorized Security Testing Only or Acceptable Use, or from Customer Data that violates the law or the rights of others.

We will notify you promptly of any such claim, allow you to control the defense (with our right to participate at our own expense), and reasonably cooperate at your cost. We may take over the defense if you fail to conduct it diligently.

If a third party claims that the Service itself infringes their intellectual property rights, we will defend that claim and, at our option, secure your continued right to use the Service, modify it to be non-infringing, or terminate the affected part and refund prepaid fees for the remaining term. This is your exclusive remedy for third-party intellectual property claims concerning the Service.

Changes to the Service and These Terms

We may update these Terms as the Service, our vendors, or the law evolves. Each version carries a version number and an effective date, shown at the top of this page.

For material changes, we give at least 30 days' notice by email or in the platform before the new version takes effect. If you do not accept a material change, you may terminate before the effective date and receive a pro rata refund of prepaid fees for the remaining period. Continuing to use the Service after the effective date constitutes acceptance.

Changes that do not materially reduce your rights, such as clarifications, new features, or corrections, may take effect when posted.

Governing Law and Disputes

These Terms are governed by Danish law, excluding its conflict of law rules and the UN Convention on Contracts for the International Sale of Goods (CISG).

If a dispute arises, the parties will first attempt to resolve it through good-faith negotiation. Failing that, the courts of Copenhagen, Denmark have exclusive jurisdiction, and cases within the subject-matter competence of the Danish Maritime and Commercial High Court may be brought there. A signed MSA may provide for a different forum.

Miscellaneous

These Terms, together with your order, the applicable DPA, and any signed agreements, constitute the entire agreement about the Service and replace all prior discussions and understandings on the subject.

If a provision of these Terms is held invalid or unenforceable, the remainder stays in force, and the invalid provision is replaced by a valid one that best achieves its purpose.

A failure to enforce a provision is not a waiver of it. Waivers must be in writing.

You may not assign these Terms without our written consent, which will not be unreasonably withheld. We may assign them to an affiliate or in connection with a merger, acquisition, or sale of assets, with notice to you.

We may use subcontractors and vendors to deliver the Service and remain responsible for their work. The current list of subprocessors is available in the Privacy Policy and at trust.vexera.ai.

Notices to you are given by email to your account address or in the platform. Notices to us go to legal@vexera.ai.

These Terms are written in English, and the English text governs.

Vexera

Evidence-first autonomous security research, made in the EU.

Vexera ApS · Copenhagen, Denmark · CVR 46442350

Platform

How it works
Coverage
Pricing
Compliance

Company

About & FAQ
Blog
Trust Center
Contact

Legal

Terms
Privacy
security.txt
© 2026 Vexera ApScontact@vexera.ai
LinkedInXGitHub