Skip to main content

Keygraph Cloud Terms of Service

Last Updated: June 3, 2026 · Effective Date: May 30, 2026

Read This First

These Terms of Service (the "Terms" or "Agreement") form a binding contract between Keygraph, Inc., a Delaware corporation with an office at 1885 Mission St., San Francisco, CA 94103 ("Keygraph", "we", "us", or "Provider"), and the company, organization, or other legal entity on whose behalf the Cloud Service is accessed or used ("Customer", "you", or "your"). The Cloud Service is intended for business use only and may be accessed only by individuals acting on behalf of a company, organization, or other legal entity.

By clicking "I agree," "Sign up," "Subscribe," or a similar button or checkbox referencing these Terms, creating an account, accessing or using the Cloud Service, or executing an Order Form or Statement of Work, you represent and warrant that you have authority to bind Customer to these Terms. If you do not have that authority, or if Customer does not agree to these Terms, you may not access or use the Cloud Service.

The Cloud Service is not offered to consumers or for personal, family, or household purposes; Customer is, in all cases, a company, organization, or other legal entity. If an individual accepts these Terms or accesses the Cloud Service without authority to bind a valid Customer entity, Keygraph may reject, suspend, or terminate the account at any time and without prior notice, and that individual remains responsible for all unauthorized use and Fees incurred to the maximum extent permitted by Applicable Laws.

These Terms contain important provisions, including:

  • A description of the Cloud Service and its limitations (Section 1).
  • An Acceptable Use Policy that prohibits, among other things, using the Cloud Service to scan, test, or probe systems you do not own or have express written authorization to test (Section 3).
  • Automatic renewal of paid subscriptions and, where applicable, automatic recurring charges, which you can cancel as described in Section 5 (Auto-Renewal & Cancellation).
  • A limitation of Keygraph's liability and a disclaimer of warranties (Sections 9 and 10).
  • A mandatory venue in San Francisco, California for disputes and a class-action waiver (Section 14).
  • A right for Keygraph to modify these Terms with notice (Section 15.2).

1. The Cloud Service

1.1 What the Cloud Service Is. The "Cloud Service" is Keygraph's hosted application-security platform, that helps Customer identify, triage, fix, and verify remediation of vulnerabilities in Customer's applications, code, dependencies, and related systems. Subject to Customer's Plan (Section 4) and any Order Form or Statement of Work, the Cloud Service may include features such as agentic penetration testing, static application security testing (SAST), software composition analysis (SCA), secrets scanning, container scanning, infrastructure-as-code scanning, CI/CD integration, findings management, ticketing integration, and assistive code patching. The features and limits available to Customer depend on Customer's then-current Plan, as set forth in the applicable Order Form or, where Keygraph offers a self-service subscription plan, as described at the location identified at signup.

1.2 Access; Internal Use. During the Subscription Period and subject to these Terms, Keygraph grants Customer a non-exclusive, non-transferable, non-sublicensable right to access and use the Cloud Service, and to download, install, and use any client-side Software (such as CLI tools, browser extensions, or runners) and Documentation made available by Keygraph, in each case solely for Customer's internal business purposes. Customer may permit its employees and contractors (each, a "User") to use the Cloud Service on Customer's behalf, provided Customer remains responsible for each User's compliance with this Agreement.

1.3 User Accounts; Security of Credentials. Customer is responsible for all activity occurring under its User accounts. Customer and its Users must protect the confidentiality of their passwords, API keys, and login credentials and must promptly notify Keygraph at security@keygraph.io of any actual or suspected unauthorized use of, or unauthorized access to, the Cloud Service or Customer's account. Customer is responsible for the rotation and revocation of its own credentials, and Keygraph is not responsible for unauthorized use of the Cloud Service resulting from compromised credentials that are within Customer's control.

1.4 Affiliates. Customer's corporate affiliates may use the Cloud Service under Customer's account only if Customer remains responsible for their compliance with this Agreement and for their acts and omissions. Affiliates using Customer's account do not have a direct contractual relationship with Keygraph and may not bring claims against Keygraph except through Customer. If a Customer affiliate wishes to enter into a separate subscription, it must do so under its own Order Form, creating a separate agreement between Keygraph and that affiliate.

1.5 No Managed Security Service Use. The Cloud Service is licensed to Customer solely for Customer's own internal application-security needs. Customer may not use, configure, or otherwise operate the Cloud Service to provide managed security services, security testing-as-a-service, security consulting deliverables, or any similar service offering (each, a "Managed Security Service") to any third party, whether for fee or not. By way of example and not limitation, Customer may not (a) use the Cloud Service to scan, test, or analyze the systems, code, applications, or environments of a third party as part of a service Customer offers or delivers to that third party; (b) incorporate Cloud Service outputs into deliverables Customer provides to any third party as part of a Managed Security Service; or (c) grant any third party access to the Cloud Service or to a Cloud Service tenant, except for Users permitted under Section 1.2, Affiliates permitted under Section 1.4, and other access expressly authorized in an Order Form. For clarity, the prohibitions in this Section 1.5 do not restrict Customer's permitted sharing of Cloud Service outputs with Customer's auditors, regulators, insurers, investors, professional advisors, customers, prospective customers, vendors, and other third parties with a legitimate business need to review Customer's security posture, provided Customer is not using the Cloud Service to provide a Managed Security Service. Managed Security Service use is offered by Keygraph only under a separate written agreement (an "MSSP Agreement") with different pricing, terms, and acceptable-use rules. Customers interested in Managed Security Service use should contact Keygraph at business@keygraph.io.

1.6 Beta Features. Keygraph may make beta, preview, or otherwise pre-release features available to Customer (each, a "Beta Feature"). Keygraph will identify Beta Features as beta, preview, experimental, or similar in the Cloud Service, Documentation, or Order Form. Beta Features are provided "AS IS," may be modified, withdrawn, or discontinued at any time, are not subject to Section 9.3 (warranty) or any service-level commitment, and Customer's use is at Customer's own risk. Keygraph has no obligation to maintain, support, or ever release Beta Features into general availability.

1.7 Free Tier; Trials. Keygraph may offer free trials, evaluation periods, or no-cost tiers of the Cloud Service. Free and trial use is made available only for Customer's good-faith, non-public evaluation for its own internal purchasing, security, compliance, or operational purposes, and remains subject to the competitive-use restrictions in Section 3.3. Free and trial use is provided "AS IS," is not subject to any service-level commitment, and may be modified, suspended, or terminated by Keygraph at any time with or without notice. These Terms apply to free and trial use, except that Sections 5 (Fees, Payment, Auto-Renewal & Cancellation) and 9.3 (Keygraph Service Warranty) do not apply. For clarity, the Acceptable Use Policy in Section 3 (including the scan-authorization warranties in Section 3.2) applies in full to free and trial use. If Customer enrolls in a Paid Trial (as defined in Section 5.4(f)), Section 5 governs the Payment Method authorization, the conversion to paid subscription, and all post-conversion charges.

2. Customer Content; Feedback; Usage Data; AI

2.1 Customer Content. "Customer Content" means data, information, code, repository contents, configurations, findings, and other materials submitted by or on behalf of Customer or Users to the Cloud Service, excluding Feedback. As between the parties, Customer retains all right, title, and interest in and to Customer Content. Customer grants Keygraph a non-exclusive, worldwide, royalty-free license to host, copy, transmit, display, process, and use Customer Content solely as needed to provide, maintain, secure, and support the Cloud Service and to comply with Applicable Laws.

2.2 Customer Responsibility for Customer Content. Customer represents and warrants that it, its Users, and anyone submitting Customer Content has all rights necessary to submit Customer Content to the Cloud Service and to permit Keygraph's use of Customer Content as described in this Agreement. Customer is solely responsible for the accuracy, legality, and content of Customer Content.

2.3 No Training on Customer Content or Support Materials. "Protected AI Data" means Customer Content, customer-specific embeddings, model inputs, model outputs, retrieved context, content-bearing agent traces, and Usage Data attributable to an identified or identifiable Customer. Keygraph will not use Protected AI Data or Support Materials to train or fine-tune any generalized or shared artificial-intelligence or machine-learning model, including any third-party model. Keygraph will not itself opt in to, configure, or authorize any third-party model provider to use Customer Content transmitted by Keygraph for such training or fine-tuning, except as Customer expressly instructs. Keygraph may process Protected AI Data solely to deliver the Cloud Service to Customer in accordance with Customer's configuration and instructions, and will not use customer-specific embeddings, runtime context, or content-bearing agent traces for other customers or third parties. Keygraph will not use raw Customer Content, Support Materials, prompts, model outputs, retrieved context, customer-specific embeddings, or content-bearing agent traces to create shared evaluation datasets or benchmarks except with Customer's express written opt-in. This Section does not limit Keygraph's ability to use Customer Content and Usage Data as otherwise authorized by this Agreement, use Usage Data and operational telemetry as permitted by Section 2.4, or use Feedback as permitted by Section 2.5.

2.4 Usage Data. "Usage Data" means data and information about the provision, use, security, and performance of the Cloud Service derived from Customer's or Users' use of the Cloud Service. Usage Data does not include Customer Content, the substantive findings of any scan, the contents of source code or configuration analyzed by the Cloud Service, content-bearing agent traces (including prompts, model outputs, retrieved context, screenshots, tickets, documents, or tool-call inputs or outputs that reveal Customer Content), or any information identifying specific vulnerabilities in Customer's systems. Usage Data may include non-content operational telemetry of the Cloud Service itself ("Operational Telemetry"), such as tool names, timestamps, latency, error codes, retry counts, completion status, token counts, generalized failure categories, feature usage, scan status, error rates, performance metrics, and security telemetry. Usage Data may include metadata derived from Customer's use only if it does not reveal Customer Content, the substance of Customer's code, configurations, vulnerabilities, prompts, model outputs, retrieved context, or other customer-specific security findings. Keygraph may use Usage Data and Operational Telemetry to operate, secure, maintain, improve, analyze, and support the Cloud Service and related products and services, including prompts, agent workflows, tool orchestration, routing, evaluations, guardrails, reliability, abuse detection, capacity planning, and product analytics, provided such use does not identify Customer or Users, reveal Customer Content, or train or fine-tune shared model weights on Customer Content. Keygraph may disclose Usage Data externally only in aggregated or de-identified form that does not identify Customer, Users, or Customer Content. Keygraph may publish aggregate, de-identified statistics, benchmarks, and trends derived from Usage Data, provided no such publication identifies Customer, any User, or any Customer Content.

2.5 Feedback. If Customer provides any suggestions, comments, or feedback about the Cloud Service ("Feedback"), Customer grants Keygraph a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, sublicensable license to use, reproduce, modify, create derivative works of, distribute, and otherwise exploit Feedback for any purpose, and Customer waives any moral rights in Feedback. Feedback is provided "AS IS."

2.6 AI Features; BYOK; Customer AI Providers. The Cloud Service is designed to integrate with third-party large-language-model services ("LLM Services") and related access, routing, or gateway intermediary services ("gateway operators") selected by Customer from Keygraph's supported providers. Each LLM Service provider or gateway operator that Customer selects, controls, and pays for through its own account, credentials, or API keys is a "Customer AI Provider." Keygraph operates AI features on a bring-your-own-key (BYOK) basis. Accordingly:

(a) Customer is solely responsible for all Customer AI Provider fees, usage charges, token costs, rate limits, quotas, account settings, credentials, API keys, and provider terms, regardless of scan volume, traffic patterns, agent behavior, or other usage characteristics of the Cloud Service;

(b) Customer AI Providers are Customer's vendors, not Keygraph's subcontractors or subprocessors, and are outside the Cloud Service for purposes of Keygraph's representations, warranties, indemnities, liability, security obligations, availability commitments, output quality, content filtering, and provider terms;

(c) Customer's BYOK configuration controls the Customer AI Provider, credentials, account, and provider-side settings used for AI features, but not each individual prompt, request, context item, tool output, or data element transmitted by the Cloud Service during ordinary operation; and

(d) when Customer enables or uses AI features, Customer instructs Keygraph to transmit Customer Content, prompts, model outputs, retrieved context, and related operational metadata to the Customer AI Provider as reasonably necessary to provide those features, subject to this Agreement, the DPA, Documentation, and Customer's available configuration settings.

For clarity, Keygraph's operation of routing, logging, observability, security, support, and other Cloud Service infrastructure remains governed by this Agreement and the DPA. Customer AI Providers process data under Customer's account, configuration, provider terms, and any data-processing terms Customer has with that provider. Keygraph's DPA does not apply to the Customer AI Provider's own processing except to the extent Keygraph itself controls Cloud Service infrastructure used to transmit, process, or store Customer Content.

Customer is not entitled to any refund, Fee credit, service credit, or other compensation from Keygraph for Customer AI Provider costs, outages, latency, errors, hallucinations, output quality, content filtering, model changes, provider terms, or service limitations. This exclusion applies regardless of whether such Customer AI Provider costs, usage charges, token costs, or related charges result from scan volume, prompt volume, context size, retries, agent workflows, tool calls, Customer configuration, Customer instructions, credentials, rate-limit behavior, ordinary operation of the Cloud Service, or errors, defects, or unexpected behavior of the Cloud Service, except to the extent liability cannot be excluded under Applicable Laws or arises from Keygraph's fraud, gross negligence, or willful misconduct.

2.7 AI Outputs. Outputs of the Cloud Service that are generated in whole or part by AI or machine-learning features — including findings, severity ratings, remediation suggestions, code patches, summaries, and risk assessments (collectively, "AI Outputs") — are informational only, may be incorrect or incomplete, may incorporate or resemble third-party code or content, and are not a substitute for human review and judgment. Customer is solely responsible for reviewing AI Outputs (including for license compatibility, originality, and third-party rights) before relying on them or deploying them, and bears the risk of any infringement, harm, or other loss arising from AI Outputs Customer chooses to use.

2.8 Prohibited Data. Customer will not submit to the Cloud Service any "Prohibited Data," meaning: (a) patient, medical, or other protected health information regulated by HIPAA; (b) credit card numbers, debit card numbers, bank account numbers, or other financial account numbers; (c) Social Security numbers, driver's license numbers, or other unique government identifiers; (d) special categories of data as defined in the GDPR (including biometric data, genetic data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or sex life or sexual orientation); (e) information of children under the age of 16; or (f) other similar categories of sensitive information specified by Applicable Data Protection Laws — except, in each case, as expressly authorized by a separate written agreement (such as a Business Associate Agreement or PCI DSS addendum) with Keygraph. The prohibition in this Section 2.8 applies only to intentional submission by or on behalf of Customer of Prohibited Data not necessary for application security testing; the incidental presence of such data in Customer Content (for example, in source code, code comments, test fixtures, container images, or vulnerability findings) is not a breach of this Section and, to the extent it constitutes Personal Data, is governed by the DPA.

2.9 Personal Data; DPA. If Customer submits Personal Data subject to Applicable Data Protection Laws (including the GDPR, the UK GDPR, or the CCPA/CPRA) to the Cloud Service, Customer and Keygraph will be bound by Keygraph's Data Processing Addendum at https://keygraph.io/dpa (the "DPA"), which is incorporated into this Agreement by reference. In the event of any conflict between this Agreement and the DPA regarding the processing of Personal Data, the DPA controls.

2.10 Privacy Policy. Keygraph's processing of personal information about Customer's administrators, billing contacts, authorized users, and other visitors to the Sites and the Cloud Service in Keygraph's capacity as a controller is described in the Keygraph Privacy Policy available at https://keygraph.io/privacy. The Privacy Policy is incorporated by reference for purposes of describing Keygraph's controller-level privacy practices, but does not modify the parties' rights and obligations with respect to Customer Content or Customer Personal Data, which are governed by these Terms and the DPA.

2.11 EU Data Residency. At account setup, Customer may elect the EU Data Residency option. If elected, Customer Content stored at rest in the production tenant database and object storage of the Cloud Service is stored in Amazon Web Services regions located within the European Economic Area, as further described in the DPA. This storage commitment does not apply to account metadata, billing data, support communications, security telemetry, Usage Data, Operational Telemetry, operational logs, personnel access, edge/CDN/security processing, transactional email, Customer-selected Third-Party Services, or Customer AI Providers. Those activities are governed by the DPA generally, including applicable transfer safeguards. The election is permanent for the life of the account unless the parties expressly agree otherwise in writing.

2.12 Third-Party Services. The Cloud Service is designed to integrate with third-party software, services, APIs, and platforms selected by Customer (such as source-code hosting platforms, ticketing systems, communication tools, identity providers, package registries, cloud providers, and similar services) (collectively, "Third-Party Services"). Customer is solely responsible for: (a) procuring, configuring, securing, maintaining, and paying for its accounts, credentials, permissions, and entitlements with each Third-Party Service; (b) complying with the terms of service, acceptable use policies, and rate limits of each Third-Party Service; and (c) any acts, omissions, changes, deprecations, outages, security incidents, or other behavior of any Third-Party Service. Keygraph is not responsible for, and has no liability for, the acts, omissions, security, availability, performance, accuracy, or terms of service of any Third-Party Service, except to the extent caused by Keygraph's breach of this Agreement. Third-Party Service unavailability is outside Keygraph's reasonable control for purposes of Section 8.1.

3. Acceptable Use Policy

3.1 General. Customer will use the Cloud Service in compliance with all Applicable Laws and this Agreement. The following Acceptable Use Policy ("AUP") applies to all use of the Cloud Service.

3.2 Authorization to Scan and Test. The Cloud Service performs offensive-security testing, vulnerability scanning, exploitation, and code analysis. Customer represents and warrants that, for every application, repository, system, network, endpoint, container, cloud account, or other target that Customer or any User configures, points the Cloud Service at, or otherwise causes the Cloud Service to scan, test, probe, exploit, or interact with (each, a "Target"):

(a) Customer owns the Target, or Customer has obtained express written authorization from the owner and operator of the Target to perform such activities using the Cloud Service;

(b) Customer's use of the Cloud Service against the Target complies with all Applicable Laws, including the Computer Fraud and Abuse Act (18 U.S.C. § 1030), state computer-crime laws, the laws of any other jurisdiction implicated by the Target's location or the location of its data, the Digital Millennium Copyright Act, and any applicable terms of service, acceptable-use policies, or rules-of-engagement governing the Target; and

(c) Customer's use will not exceed the scope of any such authorization.

Customer is solely responsible for obtaining and maintaining all such authorizations and for any claims, damages, or losses arising from unauthorized scanning, testing, exploitation, or access. This representation is a material inducement to Keygraph's provision of the Cloud Service.

Customer acknowledges that the Cloud Service is designed for use with Targets, Customer Content, repositories, applications, code, documentation, tickets, prompts, and other inputs that Customer owns, controls, is authorized to test, or reasonably believes are suitable for analysis by the Cloud Service. Customer is responsible for reviewing and controlling the Targets, Customer Content, credentials, integrations, and other inputs it submits or makes available to the Cloud Service. Customer further acknowledges that untrusted, adversarial, or intentionally manipulated inputs may affect Cloud Service behavior or outputs, and Customer assumes responsibility for its selection and use of such inputs except to the extent caused by Keygraph's breach of this Agreement, gross negligence, willful misconduct, fraud, or breach of Section 7 (Security).

Customer will maintain written records of each authorization, including scope, permitted techniques, target identifiers, timing, rate limits, and rules of engagement, and will provide such records to Keygraph on reasonable request where needed to investigate abuse, legal risk, or third-party complaints. Customer is not required to disclose information protected by attorney-client privilege or work-product doctrine, or to retain records beyond the longer of (i) three years after the relevant scan or (ii) the period required by Applicable Laws.

Keygraph employs automated and manual abuse-detection mechanisms. Keygraph reserves the right, but has no obligation, to block scans against certain domains, IP ranges, or Targets at its sole discretion, and may require Customer to provide written proof of Target ownership or authorization before initiating or continuing scans or before lifting any block.

If Keygraph reasonably believes Customer's use of the Cloud Service is unauthorized, unlawful, abusive, or the subject of a credible third-party complaint, Keygraph may preserve and disclose relevant account information, Target identifiers, scan metadata, audit logs, Customer contact information, and other information reasonably necessary to investigate, prevent, or respond to abuse, comply with Applicable Laws, or protect Keygraph, third parties, or the Cloud Service, including to affected third parties, service providers, law enforcement, regulators, or other authorities.

Customer further acknowledges that the Cloud Service performs active exploitation and dynamic testing techniques that may have mutative effects on Targets, including (without limitation) creating, modifying, or deleting users, data, accounts, configurations, or state; consuming Target resources; triggering side effects of injection or other attack techniques; and causing temporary or sustained unavailability of the Target. Customer is responsible for selecting appropriate Targets and environments for such testing (which Customer may, in its judgment, conduct against sandboxed, staging, development, or production environments) and for implementing any backups, snapshots, isolation, rate-limiting, scheduling, or other operational controls necessary to contain or recover from such effects. Customer assumes all risk of, and Keygraph has no liability for, any loss, damage, downtime, data alteration or destruction, side effects, or other consequences arising from the Cloud Service's operation against Targets, to the extent such consequences arise from Customer's configuration, instructions, Target selection, credentials, or authorized use of the Cloud Service in accordance with the Documentation. Nothing in this paragraph limits Keygraph's liability for breach of this Agreement, gross negligence, willful misconduct, fraud, or breach of Section 7 (Security).

3.3 Prohibited Activities. Customer will not, and will not permit any User or third party to:

(a) reverse engineer, decompile, disassemble, or attempt to derive the source code, models, algorithms, or underlying ideas of the Cloud Service or Software (except to the extent Applicable Laws prohibit this restriction);

(b) resell, sublicense, transfer, time-share, lease, rent, or otherwise make the Cloud Service available to third parties (other than to its Users for its own internal use), or provide it as part of a service bureau or as a managed-service offering to others, except under a separate written reseller or MSP agreement with Keygraph;

(c) remove, obscure, or alter any proprietary notices, marks, or labels in the Cloud Service or Software;

(d) copy, modify, translate, adapt, or create derivative works of the Cloud Service or Software, except for client-side configurations explicitly enabled by the Documentation;

(e) conduct security or penetration testing of, attempt to circumvent access controls of, intentionally interfere with the operation of, cause performance degradation of, or otherwise abuse the Cloud Service itself (as distinguished from Customer's authorized Targets) — except that Customer may submit vulnerability reports to security@keygraph.io and may participate in any vulnerability disclosure or bug bounty program Keygraph may publish;

(f) access portions of the Cloud Service, accounts, or data to which Customer does not have express authorization;

(g) access or use the Cloud Service, or any output, finding, AI Output, performance data, benchmark result, or other information derived from Customer's access to or use of the Cloud Service, for competitive analysis, competitive benchmarking, or to develop, train, evaluate, improve, market, or validate a competing or alternative product or service, including by measuring, comparing, ranking, testing, or publishing the Cloud Service's detection accuracy, coverage, performance, output quality, scanning behavior, feature set, user experience, or other characteristics against any competing or alternative product or service; copy any feature, function, or user interface of the Cloud Service; or assist any third party in doing any of the foregoing. This subsection (g) does not prohibit Customer's good-faith, non-public evaluation of the Cloud Service for Customer's own internal purchasing, security, compliance, or operational purposes;

(h) use the Cloud Service in connection with any "High-Risk Activity," meaning any situation where the use or failure of the Cloud Service could be reasonably expected to lead to death, bodily injury, or environmental damage (including operation of autonomous vehicles, life-support technology, emergency-response systems, nuclear facilities, weapons systems, or air-traffic control);

(i) use the Cloud Service to obtain unauthorized access to, exfiltrate data from, or cause damage to networks, systems, accounts, applications, repositories, or environments belonging to anyone other than Customer or those that Customer is expressly authorized to test;

(j) introduce or attempt to introduce viruses, worms, ransomware, or other malicious code into the Cloud Service or use the Cloud Service to do so against any third party;

(k) use the Cloud Service in violation of, or to violate, any export-control, sanctions, anti-bribery, or anti-money-laundering law, including the U.S. Export Administration Regulations, OFAC sanctions, and the Foreign Corrupt Practices Act;

(l) upload, submit, or make available to the Cloud Service any Customer Content to which Customer and Users do not have all necessary rights, or intentionally submit Prohibited Data except as permitted under Section 2.8;

(m) generate, store, or transmit any unlawful, harassing, defamatory, obscene, hateful, or sexually exploitative content through the Cloud Service;

(n) intentionally submit, include, or make available to the Cloud Service, or cause the Cloud Service to retrieve or process, any prompt, instruction, code, repository content, file, issue, ticket, comment, configuration, webpage, API response, or other material designed or intended to manipulate, override, disable, exfiltrate from, or otherwise interfere with the Cloud Service, Software, its AI systems, agents, tools, system prompts, safety controls, authentication controls, operating instructions, or service environment, except as expressly authorized in writing by Keygraph; or

(o) use the Cloud Service in any manner not authorized by the Documentation or any applicable usage limits or quotas associated with Customer's Plan.

3.4 Suspension. Keygraph may suspend Customer's or any User's access to the Cloud Service immediately and without prior notice if Keygraph reasonably determines that (a) Customer has materially breached this Agreement (including this AUP); (b) Customer's use of the Cloud Service poses a security, legal, or operational risk to the Cloud Service, Keygraph, or any third party; (c) Customer has an outstanding undisputed past-due balance for more than 30 days; or (d) suspension is required by Applicable Laws or by a request of a governmental, regulatory, or law-enforcement authority. Keygraph will use reasonable efforts to notify Customer of any suspension and the reason for it, and will reinstate access when the issue is resolved.

4. Plans, Orders, and Statements of Work

4.1 Plans. Customer subscribes to a "Plan" — a defined tier of access to the Cloud Service at a defined price per seat or other unit, as set forth in the applicable Order Form or, where Keygraph offers a self-service subscription plan, as described at the location identified at signup. By executing an Order Form or, for self-service plans, by selecting a Plan and clicking "Subscribe" (or a similar button), Customer enters into a binding subscription to that Plan on the terms of this Agreement.

Unless an Order Form, self-service signup flow, or plan description expressly defines a different usage metric, any Plan described as priced, limited, or measured by "Active Developers," "active developers," "Active Contributors," "active contributors," "contributors," or a similar contributor-based usage metric is measured by Active Developers. For such Plans, Keygraph may measure Active Developer usage on each Measurement Date using the Lookback Period ending on that Measurement Date. Unless the applicable Order Form, self-service signup flow, or plan description specifies a different cadence, the Measurement Date is the last day of each calendar month during the Subscription Period and at renewal. Keygraph may determine Active Developer counts from the connected source code management system, git metadata, pull request metadata, commit author information, committer information, account identity, Cloud Service usage records, or records Customer provides to Keygraph. If Customer exceeds the purchased Active Developer quantity, Customer will pay any applicable overage Fees, upgrade charges, or usage-based Fees described at signup, in the Cloud Service, in the applicable Order Form, or in the applicable plan description.

A person is deemed to have contributed code or software artifacts if that person authored, committed, pushed, merged, or submitted code, configuration, infrastructure-as-code, dependency files, manifests, lockfiles, scripts, or other software artifacts to a Connected Private Repository during the Lookback Period.

A person will not be treated as an Active Developer solely because their historical commits remain in a repository. To be billable, the person must also have current authorized access to the applicable source code management organization, workspace, project, group, or repository as of the applicable Measurement Date.

Active Developers exclude former employees, former contractors, former consultants, deactivated users, suspended users, removed users, users without current repository or organization access, read-only users, billing administrators, security reviewers, compliance users, auditors, executives, product managers, project managers, issue-only users, dashboard-only users, users who only triage findings, users who only receive reports or notifications, known bots, service accounts, machine users, CI/CD accounts, dependency update bots, GitHub Apps, GitLab bots, automation accounts, scanner accounts, and other non-human accounts, provided such accounts are not used by a natural person to avoid Fees.

Contractors, consultants, agency developers, outsourced developers, and other third-party personnel acting for or on behalf of Customer are included as Active Developers only if they both contributed code or software artifacts to a Connected Private Repository during the Lookback Period and have current authorized access as of the Measurement Date.

Contributions to public repositories, open-source repositories, archived public repositories, or repositories not connected to the Cloud Service do not count toward Active Developer counts.

A natural person will be counted at most once per billing period, even if that person uses multiple email addresses, usernames, aliases, source code management accounts, repositories, organizations, or integrations, to the extent the Cloud Service or Keygraph can reasonably identify such accounts as belonging to the same person.

Historical contributors identified during initial import, repository connection, first scan, or rescan may appear in usage analytics, audit logs, security findings, or contributor reports, but will not be billed unless they are current authorized users of the applicable source code management organization, workspace, project, group, or repository as of the Measurement Date.

Customer may not avoid Fees by sharing accounts, using non-human accounts for human activity, misclassifying active contributors, disabling or manipulating identity information, rewriting or obscuring commit metadata, splitting repositories or organizations for the purpose of avoiding Fees, or otherwise circumventing usage measurement.

If Customer believes a person has been incorrectly counted as an Active Developer, Customer may request review by providing reasonable supporting information. Keygraph may correct Active Developer counts for duplicate identities, bots, service accounts, removed users, former personnel, or other misclassified users, as reasonably determined by Keygraph.

4.2 Order Forms. A document signed or electronically accepted by both parties that identifies a Plan, a Subscription Period, applicable Fees, and any deviations from these Terms is an "Order Form." A self-service signup or upgrade transaction (including selection of a Plan in the Keygraph web interface) is also an Order Form for purposes of these Terms; the Plan selection, billing records, and other information confirmed at signup constitute the "Order Form" for that subscription. Capitalized terms used in an Order Form have the meanings given in these Terms unless the Order Form expressly defines them otherwise.

4.3 Statements of Work. From time to time, Customer may engage Keygraph to provide implementation, onboarding, integration, training, or other professional services (collectively, "Professional Services"). Each Professional Services engagement will be described in a "Statement of Work" or "SOW" that references this Agreement. An SOW becomes binding when signed or electronically accepted by both parties, including by clickthrough acceptance in the Keygraph web interface. Each SOW will be governed by this Agreement and will describe the scope, deliverables, schedule, fees, acceptance criteria (if any), and any deviations from these Terms applicable to that SOW.

4.4 One-Time Scans and Add-Ons. Keygraph may offer one-time or à-la-carte transactions, such as one-time agentic black-box penetration tests or other add-ons, at the prices set forth in the applicable Order Form or, where Keygraph offers a self-service one-time transaction, as presented at the time of the transaction. Each one-time transaction is non-refundable once the scan or service is initiated, is subject to this Agreement, and (unless an Order Form provides otherwise) is not subject to any service-level commitment, except that if the scan or service fails to complete due solely to Keygraph's uncured breach or service failure, Keygraph will, at its option, re-run the scan or service at no additional charge or refund the applicable one-time Fee. For clarity, any re-run, refund, or other remedy under this Section applies only to Fees charged by Keygraph for the one-time transaction and does not reimburse Customer for Customer AI Provider fees, token costs, gateway charges, or other Third-Party Service charges.

4.5 Order of Precedence. In the event of any conflict among the components of this Agreement, the following order of precedence applies (highest to lowest):

(1) the DPA, with respect to the processing of Personal Data only; (2) the applicable Order Form; (3) the applicable Statement of Work, with respect to Professional Services only; (4) the body of these Terms; (5) the Documentation.

An Order Form or Statement of Work overrides these Terms only to the extent it expressly identifies the conflicting provision or clearly states a different commercial term. For clarity, Keygraph rejects any conflicting or additional terms contained in any purchase order, vendor portal, or similar Customer document, which may be used only for Customer's internal accounting and administrative purposes. No such terms apply to this Agreement unless expressly accepted in a writing signed by an authorized officer of Keygraph.

4.6 Ownership of Professional Services Deliverables. Unless an SOW expressly states otherwise, Keygraph owns all Professional Services deliverables, tools, templates, know-how, scripts, code, configurations, and other materials it creates or provides in the course of performing Professional Services, excluding Customer Content. Subject to Customer's payment of applicable fees, Keygraph grants Customer a non-exclusive, non-transferable license to use such deliverables solely with the Cloud Service for Customer's internal business purposes. Keygraph may use general know-how, ideas, concepts, methodologies, and techniques learned in performing Professional Services for its other business purposes, provided it does not disclose Customer's Confidential Information.

5. Fees, Payment, Auto-Renewal & Cancellation

5.1 Fees. Customer will pay Keygraph the fees set forth in the applicable Order Form, Statement of Work, or, where Keygraph offers a self-service subscription plan, the pricing presented at signup and confirmed in Customer's order confirmation (collectively, "Fees"). Unless an Order Form specifies otherwise, all Fees are in U.S. Dollars and are exclusive of taxes.

5.2 Invoicing. Unless an Order Form provides for credit-card payment, Keygraph will invoice Customer in advance for each Subscription Period and in arrears for any usage-based Fees, and Customer will pay each invoice within thirty (30) days of the invoice date. Past-due amounts accrue interest at the lesser of 1.0% per month or the maximum rate allowed by Applicable Laws.

5.3 Credit-Card Payment; Authorization to Charge. If an Order Form provides for, or Customer enrolls in a self-service plan that uses, credit card, debit card, or other payment method accepted by Keygraph (each, a "Payment Method"), Customer authorizes Keygraph and Keygraph's payment processor to charge Customer's Payment Method, on a recurring basis and without further authorization, for: (a) all Fees for the initial Subscription Period at the time of signup; (b) all Fees for each Renewal Term on the first day of that Renewal Term (see Section 5.4 for renewal notice and cancellation rights); (c) any usage-based charges (such as one-time scans, overage fees, or add-ons) in arrears; and (d) any applicable taxes. Customer is responsible for keeping its Payment Method valid and current. If a charge is declined or fails, Keygraph may retry the charge, suspend the Cloud Service, or terminate the subscription as set forth in Section 13.

5.4 Auto-Renewal; Cancellation; California Automatic-Renewal Disclosure. This is an automatically renewing subscription.

(a) Renewal. The initial Subscription Period and each subsequent Subscription Period (each a "Renewal Term") will automatically renew for the same length as the prior Subscription Period (or, if the prior Subscription Period was longer than one year, for successive one-year Renewal Terms), unless Customer cancels before the end of the then-current Subscription Period as described in Section 5.4(c).

(b) Renewal Pricing. Renewal Fees will be at Keygraph's then-current Plan price, except that for subscriptions billed by credit card, Keygraph will not increase Customer's Fees by more than ten percent (10%) per renewal unless Keygraph has given Customer at least thirty (30) days' advance written notice (which may be by email to the email address associated with Customer's account) of a larger increase. For invoiced subscriptions, renewal-pricing terms are as set forth in the applicable Order Form.

(c) How to Cancel. Customer may cancel its subscription at any time, effective at the end of the then-current Subscription Period, by (i) using the cancellation feature available in the Keygraph account settings or billing portal at https://app.keygraph.io/billing, (ii) sending an email request to billing@keygraph.io, or (iii) following any cancellation procedure specified in an Order Form. Cancellation requests must be received at least three (3) business days before the renewal date to avoid renewal charges, unless Applicable Laws require a shorter period or the applicable Order Form provides otherwise. Requests received less than three (3) business days before the renewal date may be processed for the following Subscription Period. Keygraph will confirm cancellation by email.

(d) Pre-Renewal Reminder. For any subscription with a Subscription Period of one (1) year or longer that is billed by credit card, Keygraph will send Customer a renewal reminder by email at least 15 days and not more than 45 days before the renewal date, identifying the renewal date and the Fees that will be charged.

(e) Effect of Cancellation. Cancellation will stop future renewal charges. Cancellation does not entitle Customer to a refund of Fees already paid for the then-current Subscription Period, except as expressly provided in this Agreement.

(f) Trial-to-Paid Conversion. If Keygraph offers a free trial that requires Customer to provide a Payment Method and converts automatically to a paid subscription at the end of the trial period (a "Paid Trial"), Keygraph will, before Customer provides the Payment Method, clearly and conspicuously disclose: (i) that the Paid Trial will convert to a paid subscription at the end of the trial period; (ii) the recurring Fees that will be charged on conversion; (iii) the billing frequency; (iv) the date or deadline by which Customer must cancel to avoid being charged; and (v) how to cancel. Immediately after Customer signs up for a Paid Trial, Keygraph will send Customer a confirmation by email restating these terms. For any Paid Trial of more than seven (7) days, Keygraph will also send Customer a reminder by email between three (3) and twenty-one (21) days before the conversion charge. Customer may cancel a Paid Trial at any time before the conversion charge through the cancellation methods set forth in Section 5.4(c), and cancellation before the conversion charge will not result in any Fees for the trial period. The trial-to-paid conversion rate disclosed at signup will not increase at the time of conversion without Customer's separate affirmative consent.

5.5 Refunds; No Other Refunds. Except as expressly set forth in this Agreement (including in Sections 9.4 (warranty remedy), 11.2 (IP-claim mitigation), or 13.3 (termination for breach by Keygraph)), all Fees are non-refundable, including for partial Subscription Periods, unused features, or downgrades.

5.6 Payment Disputes. If Customer disputes a charge in good faith, Customer must notify Keygraph at billing@keygraph.io within 30 days of the charge with reasonable detail of the basis for the dispute. The parties will work together to resolve the dispute in good faith within 15 days. Customer must continue to pay any undisputed amounts.

5.7 Taxes. Customer is responsible for all duties, taxes, withholdings, and levies imposed on the sale or use of the Cloud Service (other than Keygraph's income taxes), including sales, use, VAT, and GST, that Keygraph or its payment processor itemizes on Customer's invoice or charge.

6. Confidentiality

6.1 Confidential Information. "Confidential Information" means non-public information disclosed by one party (the "Discloser") to the other party (the "Recipient") in connection with this Agreement, including before the Effective Date, that the Discloser identifies as confidential or that should reasonably be understood as confidential given its nature and the circumstances of disclosure. Confidential Information includes the existence and terms of this Agreement (other than its publicly posted form), Customer's non-public Customer Content, Customer's non-public Support Materials, and Keygraph's non-public information about the Cloud Service (including pricing offered to Customer that differs from publicly listed pricing).

6.2 Use and Disclosure. Except as authorized by this Agreement or as needed to perform its obligations or exercise its rights, Recipient will not (a) use Discloser's Confidential Information; or (b) disclose Discloser's Confidential Information to anyone other than its employees, contractors, advisors, and representatives who have a need to know and are bound by confidentiality obligations at least as protective as those in this Section 6. Recipient will protect Discloser's Confidential Information using at least the same care it uses for its own confidential information of like importance, but in no event less than reasonable care, and Recipient is responsible for any breach by anyone to whom it discloses Confidential Information.

6.3 Exclusions. Confidential Information does not include information that Recipient can demonstrate (a) it knew without obligation of confidentiality before disclosure by Discloser; (b) is or becomes publicly known through no fault of Recipient; (c) it received from a third party with the right to disclose it without obligation of confidentiality; or (d) it independently developed without use of or reference to Discloser's Confidential Information.

6.4 Required Disclosures. Recipient may disclose Confidential Information to the extent required by Applicable Laws or legal process if, unless prohibited, Recipient gives Discloser reasonable advance notice and reasonably cooperates, at Discloser's expense, with Discloser's efforts to obtain confidential treatment.

6.5 Survival. This Section 6 survives termination of this Agreement for as long as the Confidential Information remains confidential.

7. Security; Incident Response

7.1 Security Program. Keygraph will maintain a written information-security program designed to protect the Cloud Service and Customer Content against unauthorized access, alteration, disclosure, or destruction, including administrative, technical, physical, and organizational safeguards appropriate to the nature of the Cloud Service and the data it processes. Keygraph may modify its security practices from time to time, provided that the security of the Cloud Service is not materially reduced during a Subscription Period. Marketing, architecture, and security-overview materials Keygraph publishes are provided for informational purposes and are not contractually binding, except to the extent expressly incorporated into this Agreement, an Order Form, the DPA, or a written security addendum.

7.2 Security Incidents. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Content within Keygraph's control or within the control of Keygraph's Subprocessors for the Cloud Service, but excluding Customer AI Providers and other Customer-selected Third-Party Services governed by Section 2.6 or Section 2.12; provided that unsuccessful attempts that do not result in actual unauthorized access to or loss of Customer Content (including unsuccessful log-on attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems) are not Security Incidents. Upon becoming aware of a Security Incident, Keygraph will (a) notify Customer without undue delay and in any event within seventy-two (72) hours, by email to the security or administrator email address associated with Customer's account; (b) provide timely information about the Security Incident as it becomes known or as Customer reasonably requests, to the extent then known and to the extent doing so does not compromise the investigation or violate Applicable Laws; and (c) promptly take reasonable steps to contain, investigate, and mitigate the Security Incident. Keygraph may provide information in phases as it becomes available, and no initial notice or any response constitutes an acknowledgment of fault, liability, or final determination. To the extent a Security Incident involves Customer Personal Data, Keygraph's obligations under the DPA also apply, and the DPA controls in the event of any conflict regarding Security Incident obligations for Customer Personal Data.

7.3 Customer Responsibilities. Customer is responsible for: (a) configuring its account and the Cloud Service in accordance with the Documentation and any security best practices Keygraph publishes; (b) the security of its credentials, API keys, and BYOK credentials (Section 2.6); (c) the security of Customer's own systems, networks, and Targets; and (d) the design, implementation, and monitoring of Customer's overall information-security program. Keygraph's notification of a Security Incident is not an admission of fault or liability.

7.4 Audits. Keygraph maintains a security audit program and will make its then-current SOC 2 (or equivalent independent third-party security audit report) and other reasonably requested security documentation available to Customer under confidentiality obligations on reasonable request, subject to such report being available for the applicable service at the time of request. Keygraph does not provide on-site customer audits, customer-led penetration testing of the Cloud Service, or access to Keygraph's systems for audit purposes, except (a) as set forth in the DPA, (b) as may be required by Applicable Laws, or (c) as otherwise expressly agreed in an Order Form.

7.5 Support Materials; Sanitization. Customer may voluntarily submit logs, diagnostic bundles, screenshots, stack traces, configuration details, repository metadata, findings, vulnerability information, architecture details, support communications, or similar technical materials to Keygraph for support, diagnostics, security, troubleshooting, or Professional Services ("Support Materials"). Keygraph will use Support Materials only to provide support or Professional Services, investigate issues or vulnerabilities, maintain and secure the Cloud Service, and improve Keygraph's support and development processes, subject to Section 2.3 (No Training on Customer Content or Support Materials) and Section 6 (Confidentiality). Before submitting Support Materials, Customer will use commercially reasonable efforts to remove secrets, credentials, private keys, API tokens, Prohibited Data, and other sensitive or regulated data not reasonably necessary for Keygraph to provide support. Customer should not submit secrets, credentials, regulated data, or Prohibited Data through support channels unless expressly authorized by a separate written agreement. If Customer inadvertently submits secrets or credentials, Customer remains responsible for rotation or revocation, and Keygraph will delete such materials upon reasonable written request where technically feasible.

8. Service Availability

8.1 Service Availability. Keygraph will use commercially reasonable efforts to make the core functionality of the Cloud Service available 24 hours a day, 7 days a week, excluding planned downtime, emergency maintenance, Force Majeure Events, Beta Features, Customer-controlled systems, Customer AI Providers, Third-Party Services, and other circumstances outside Keygraph's reasonable control. Any specific uptime commitment, service level agreement, or service credit applies only if expressly stated in a signed Order Form.

9. Representations, Warranties & Disclaimers

9.1 Mutual. Each party represents and warrants to the other that: (a) it has the legal authority to enter into this Agreement; (b) it is duly organized, validly existing, and in good standing under the laws of the jurisdiction of its organization; and (c) it will comply with all Applicable Laws in performing its obligations and exercising its rights under this Agreement.

9.2 Customer. Customer represents, warrants, and covenants that: (a) Customer has and will maintain all rights and authorizations required under Sections 2.2, 2.8, and 3.2; (b) Customer and its Users will comply with Section 3.3 and Section 14.10; and (c) Customer is responsible for reviewing and deciding whether to rely on AI Outputs as described in Section 2.7.

9.3 Keygraph Service Warranty. Keygraph represents and warrants to Customer that, during the Subscription Period, Keygraph will not materially reduce the general functionality of the Cloud Service. This warranty does not extend to: (a) reductions in functionality of features that depend on a Customer AI Provider to the extent caused by that Customer AI Provider; (b) Beta Features; (c) free or trial use; or (d) any feature that Keygraph deprecates or modifies on at least 90 days' advance notice as part of the ordinary product roadmap (so long as the overall Cloud Service continues to provide materially equivalent core functionality in the aggregate).

9.4 Warranty Remedy. If Keygraph breaches Section 9.3, Customer must give Keygraph notice (with enough detail to understand or replicate the issue) within 45 days of discovering the issue. Within 45 days of receiving sufficient detail, Keygraph will attempt to restore the general functionality. If Keygraph cannot resolve the issue, Customer may terminate the affected subscription and Keygraph will refund a prorated portion of prepaid Fees for the remainder of the then-current Subscription Period. This is Customer's sole and exclusive remedy for breach of Section 9.3.

9.5 Disclaimer. EXCEPT FOR THE EXPRESS WARRANTIES IN SECTIONS 9.1 AND 9.3, AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAWS, THE CLOUD SERVICE, SOFTWARE, DOCUMENTATION, PROFESSIONAL SERVICES, AND BETA FEATURES ARE PROVIDED "AS IS" AND "AS AVAILABLE," AND KEYGRAPH AND ITS LICENSORS DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE.

9.6 Application-Security and Compliance Disclaimers. Customer expressly acknowledges: (a) no application-security tool, including the Cloud Service, can identify, prevent, or remediate all vulnerabilities, threats, attacks, or unauthorized access, and the Cloud Service does not guarantee that Customer's applications, systems, or data will be free from vulnerabilities, breaches, or compromise; (b) AI Outputs and other outputs of the Cloud Service are informational only, do not constitute professional security, audit, or legal advice, and require Customer's independent review and judgment; (c) Customer is solely responsible for the design, implementation, operation, and monitoring of its overall information-security program, including final decisions about which vulnerabilities to remediate, which remediations to deploy, and how to configure and operate its systems; (d) while Customer may use the Cloud Service to support compliance or audit programs (including programs aligned to SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP, or similar frameworks), the Cloud Service does not itself produce compliance certifications, audit opinions, or regulatory determinations, and Customer's achievement, maintenance, and passage of any such certification, audit, or examination depends on Customer's own controls, evidence, and the independent determinations of auditors and regulators; and (e) outputs of the Cloud Service may be incorrect or incomplete and should not be relied upon as the sole basis for any security, remediation, or business decision. The disclaimers in this Section 9.6 are in addition to, and do not limit, the disclaimers in Section 9.5.

10. Limitation of Liability

10.1 Damages Waiver. EXCEPT AS PROVIDED IN SECTION 10.4, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY LOST PROFITS OR REVENUES (WHETHER DIRECT OR INDIRECT), LOSS OF GOODWILL, LOSS OF DATA OR BUSINESS INTERRUPTION, OR ANY CONSEQUENTIAL, SPECIAL, INDIRECT, EXEMPLARY, PUNITIVE, OR INCIDENTAL DAMAGES ARISING OUT OF OR RELATING TO THIS AGREEMENT, EVEN IF THE PARTY WAS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE.

10.2 General Cap. EXCEPT AS PROVIDED IN SECTIONS 10.3 AND 10.4, EACH PARTY'S TOTAL CUMULATIVE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO KEYGRAPH UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM (THE "GENERAL CAP").

10.3 Increased Cap. EACH PARTY'S TOTAL CUMULATIVE LIABILITY FOR CLAIMS ARISING FROM (a) BREACH OF SECTION 6 (CONFIDENTIALITY); (b) BREACH OF SECTION 7 (SECURITY), INCLUDING SECURITY INCIDENTS CAUSED BY KEYGRAPH'S BREACH OF SECTION 7; AND (c) AN INDEMNIFYING PARTY'S OBLIGATIONS UNDER SECTION 11 (INDEMNIFICATION), TAKEN TOGETHER WITH ANY OTHER CLAIMS UNDER THIS AGREEMENT, WILL NOT EXCEED TWO (2) TIMES THE GENERAL CAP (THE "INCREASED CAP").

10.4 Exceptions. The limitations in Sections 10.1, 10.2, and 10.3 do not apply to: (a) Customer's obligation to pay Fees; (b) Customer's breach of the Acceptable Use Policy (Section 3); (c) either party's gross negligence, willful misconduct, or fraud; or (d) liability that cannot be limited under Applicable Laws.

10.5 Allocation. The limitations of liability in this Section 10 reflect the parties' agreed allocation of risk and the Fees Customer pays. The limitations apply to all theories of liability, whether in contract, tort (including negligence), breach of statutory duty, or otherwise.

10.6 Insurance. Keygraph will, during the Subscription Period and for six (6) months after, maintain commercial insurance with coverage limits not less than: (a) commercial general liability of $1,000,000 per occurrence and $2,000,000 aggregate; (b) errors-and-omissions / technology professional liability of $1,000,000 per claim and $1,000,000 aggregate; and (c) cyber liability of $1,000,000 per occurrence and $1,000,000 aggregate. On reasonable request, Keygraph will provide a certificate of insurance. Keygraph's insurance is not evidence of liability and does not increase the limitations in this Section 10.

11. Indemnification

11.1 By Keygraph. For paid subscriptions only, Keygraph will defend Customer against any third-party claim alleging that the Cloud Service, as provided by Keygraph and used by Customer in accordance with this Agreement and the Documentation, directly infringes or misappropriates that third party's patent, copyright, trademark, trade secret, or other intellectual-property right (a "Provider IP Claim"). Keygraph will indemnify Customer for damages, settlements, and reasonable attorneys' fees finally awarded by a court of competent jurisdiction or agreed in a settlement approved by Keygraph in connection with a Provider IP Claim.

Keygraph has no obligation under this Section 11.1 for claims arising from or relating to: (a) Customer Content; (b) AI Outputs or Customer's use, modification, deployment, distribution, or other exploitation of AI Outputs; (c) Customer AI Providers or Third-Party Services; (d) open-source software, third-party code, third-party data, or other materials not provided by Keygraph as part of the Cloud Service; (e) modifications not made by Keygraph; (f) combination with products, services, data, or processes not provided by Keygraph; (g) use outside this Agreement or the Documentation, including use in breach of this Agreement; (h) free use, trial use, or Beta Features; (i) continued use after Keygraph provides notice to stop due to a claim or provides a non-infringing replacement; or (j) any claim for which Customer has an indemnity obligation under Section 11.3.

11.2 IP Claim Mitigation. If a Provider IP Claim is made or, in Keygraph's reasonable opinion, is likely to be made, Keygraph may at its option and expense: (a) procure for Customer the right to continue using the affected portion of the Cloud Service; (b) modify the affected portion of the Cloud Service to be non-infringing without materially reducing functionality; or (c) terminate the affected subscription and refund a prorated portion of prepaid Fees for the remainder of the then-current Subscription Period.

11.3 By Customer. Customer will defend Keygraph and its officers, directors, employees, and affiliates against any third-party claim arising from: (a) Customer Content, including a claim that Customer Content infringes or misappropriates a third party's intellectual property or violates Applicable Laws; (b) Customer's breach of Section 3 (Acceptable Use Policy), including any claim that Customer used the Cloud Service to scan, test, exploit, or access a Target without authorization; (c) Customer's breach of Section 2.2 (rights in Customer Content), Section 2.7 (responsibility for AI Outputs), or Section 2.8 (Prohibited Data); or (d) Customer's violation of Applicable Laws (each, a "Customer Claim"). Customer will indemnify Keygraph for the resulting damages, settlements, and reasonable attorneys' fees finally awarded by a court of competent jurisdiction or agreed in a settlement approved by the indemnifying party.

11.4 Procedure. An indemnifying party's obligations under Section 11.1 or 11.3 are contingent on the indemnified party (a) promptly notifying the indemnifying party of the claim, provided that failure to provide prompt notice relieves the indemnifying party only to the extent materially prejudiced by the delay; (b) giving the indemnifying party sole control of the defense and settlement, provided that no settlement may impose liability, an admission of fault, payment obligation, or ongoing obligation on the indemnified party without the indemnified party's prior written consent, not to be unreasonably withheld; and (c) providing reasonable cooperation at the indemnifying party's expense.

11.5 Exclusive Remedy. This Section 11, together with any termination rights, describes Customer's exclusive remedy and Keygraph's entire liability for any Provider IP Claim or other third-party intellectual-property claim concerning the Cloud Service, and describes Keygraph's exclusive remedy and Customer's entire liability for any Customer Claim, except to the extent a signed Order Form expressly provides different indemnity obligations.

12. Ownership; Reservation of Rights

12.1 Keygraph IP; Ownership of AI Outputs. Keygraph and its licensors own and retain all right, title, and interest in and to the Cloud Service, Software, Documentation, Usage Data, Feedback, and the artificial-intelligence and machine-learning models, infrastructure, methods, Keygraph-authored prompts, system instructions, agent workflows, tool orchestration, evaluation methods, templates, and other technology used to generate AI Outputs, including all improvements, derivative works, and modifications, whether developed before, on, or after the Effective Date.

Subject to the foregoing, Keygraph's ownership of its pre-existing or independently developed materials, any third-party rights, and any applicable Customer AI Provider terms, as between the parties Customer owns the customer-specific AI Outputs generated for Customer through the Cloud Service. To the extent Keygraph has any right, title, or interest in such customer-specific AI Outputs, Keygraph assigns that interest to Customer. Customer grants Keygraph a non-exclusive, worldwide, royalty-free license to host, copy, transmit, display, process, and use AI Outputs solely as needed to provide, maintain, secure, and support the Cloud Service and to comply with Applicable Laws.

For clarity, Customer's ownership of AI Outputs does not give Customer any ownership rights in the Cloud Service, Software, Documentation, Usage Data, Feedback, underlying models, infrastructure, methods, Keygraph-authored prompts, system instructions, agent workflows, tool orchestration, evaluation methods, templates, or other Keygraph technology. Keygraph disclaims responsibility for AI Outputs as set forth in Sections 2.7 and 9.6.

12.2 Customer Content. Subject to the licenses granted in Section 2.1, Customer retains all right, title, and interest in and to Customer Content.

12.3 No Implied Licenses. Except for the limited license granted to Customer in Section 1.2, no rights are granted to Customer by implication, estoppel, or otherwise.

13. Term, Termination & Suspension

13.1 Term. This Agreement starts when Customer first accepts it (the "Effective Date") and continues until all subscriptions and SOWs under it have ended or it is terminated as set forth below.

13.2 Subscription Period. Each subscription begins on the Order Date and continues for the Subscription Period set forth in the applicable Order Form or in the signup confirmation, and renews automatically as set forth in Section 5.4.

13.3 Termination for Cause. Either party may terminate this Agreement or any Order Form or SOW immediately on written notice if the other party: (a) fails to cure a material breach within 30 days of written notice (or, for Customer's failure to pay Fees, within 10 days of written notice); (b) materially breaches in a manner that cannot be cured; (c) ceases doing business or makes an assignment for the benefit of creditors; or (d) becomes the subject of a bankruptcy, insolvency, or similar proceeding that continues for more than 60 days.

13.4 Termination for Convenience by Keygraph. Keygraph may terminate any free or trial use, or any Beta Feature, at any time with or without notice.

13.5 Effect of Termination. On termination or expiration: (a) Customer's right to access and use the Cloud Service ends; (b) Customer will pay all Fees accrued before termination; (c) on Customer's written request made within thirty (30) days after termination or expiration, Keygraph will make Customer Content available for export in a commercially reasonable format using then-available export functionality or another commercially reasonable method. Exportable Customer Content may include, to the extent then available in Customer's tenant and supported by Keygraph's then-current export functionality, findings, reports, and other customer-facing records designated by Keygraph for export. It excludes Keygraph's intellectual property, Usage Data, security telemetry, internal service logs, tenant configurations, integration settings, system metadata, data stored only in routine backups, data held by Customer-selected Third-Party Services (including Customer AI Providers), and any data that Keygraph cannot lawfully or technically export without disproportionate effort. After the export period, or if no export is requested, Keygraph will delete or render inaccessible Customer Content from active production systems within sixty (60) days, subject to retention required by Applicable Laws, legal hold, dispute-resolution obligations, or routine backups under documented retention schedules and overwrite cycles; and (d) each party will return or destroy the other party's Confidential Information except for copies retained in routine backups or as required by Applicable Laws.

13.6 Survival. Sections that by their nature should survive termination will survive, including: Sections 2.3, 2.5, 2.7, 2.8, 3 (with respect to events occurring during the term), 5 (with respect to Fees accrued before termination), 6, 7.5, 9.5, 9.6, 10, 11, 12, 13.5, 13.6, 14, and 15, and all definitions necessary to construe surviving provisions.

14. Governing Law; Disputes

14.1 Governing Law. This Agreement is governed by the laws of the State of California, without regard to its conflict-of-laws principles. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act do not apply.

14.2 Venue. Subject to Section 14.3, the parties will bring any legal suit, action, or proceeding arising out of or relating to this Agreement exclusively in the state or federal courts located in the City and County of San Francisco, California, and each party irrevocably submits to the exclusive jurisdiction of those courts.

14.3 Informal Dispute Resolution. Before initiating any legal action (other than an action for injunctive relief or to collect undisputed Fees), the parties will attempt in good faith to resolve any dispute by giving written notice to Keygraph's notice address listed in Section 15.5 (in the case of a dispute initiated by Customer) or to Customer's notice address (in the case of a dispute initiated by Keygraph) and meeting and conferring (including by videoconference) within 30 days of the notice.

14.4 Equitable Relief. Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or Confidential Information, without the requirement of posting a bond.

14.5 Class Action Waiver. EACH PARTY AGREES THAT ANY DISPUTE WILL BE BROUGHT ON AN INDIVIDUAL BASIS ONLY AND NOT AS PART OF A CLASS ACTION, COLLECTIVE ACTION, OR REPRESENTATIVE PROCEEDING. THE PARTIES EXPRESSLY WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION OR REPRESENTATIVE PROCEEDING AGAINST THE OTHER.

14.6 Jury Trial Waiver. TO THE EXTENT PERMITTED BY APPLICABLE LAWS, EACH PARTY WAIVES ANY RIGHT TO A JURY TRIAL IN ANY ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT.

14.7 Limitations Period. Any claim arising out of or relating to this Agreement must be brought within one (1) year after the cause of action accrues, except for claims for non-payment of Fees or for infringement, misappropriation, or breach of confidentiality, which may be brought within the period permitted by Applicable Laws.

14.8 Equitable Remedies. A breach of Section 3 (AUP), Section 6 (Confidentiality), or a violation of a party's intellectual-property rights may cause irreparable harm for which monetary damages are inadequate. The non-breaching party may seek equitable relief in addition to its other remedies.

14.9 Export Controls; Sanctions. Customer may not export or re-export the Cloud Service, Software, or any related technology in violation of the export-control or sanctions laws of the United States (including those administered by the Department of Commerce, OFAC, and the Department of State) or any other applicable jurisdiction. Customer represents and warrants that Customer is not: (a) located in, organized under the laws of, or a national or resident of any country, region, government, person, or entity subject from time to time to comprehensive sanctions or embargoes administered by the United States (including OFAC, BIS, and the Department of State), the United Nations, the European Union, the United Kingdom, or any other applicable sanctions authority; (b) listed on, or 50% or more owned by parties listed on, any sanctions or restricted-party list maintained by any of the foregoing authorities (including OFAC's SDN List, the EU consolidated list, or the UN Security Council Consolidated List); or (c) otherwise prohibited from receiving the Cloud Service under Applicable Laws. Keygraph may suspend or terminate this Agreement immediately without notice or liability to comply, as determined in Keygraph's reasonable discretion, with applicable export-control and sanctions laws and regulations.

14.10 Anti-Bribery. Neither party will offer, give, promise, or receive anything of value to or from any person to obtain or retain business in violation of any Applicable Laws, including the U.S. Foreign Corrupt Practices Act and the UK Bribery Act 2010.

14.11 Government End Users. The Cloud Service and Software are "commercial items," "commercial computer software," and "commercial computer software documentation" as defined in 48 C.F.R. § 2.101, FAR § 12.212, and DFARS § 227.7202. Any use, modification, reproduction, release, performance, display, or disclosure by or for the U.S. Government is governed solely by this Agreement.

15. General

15.1 Entire Agreement. This Agreement (including the DPA, any incorporated policies, any Order Forms, and any SOWs) is the entire agreement between the parties about its subject and supersedes all prior or contemporaneous statements about its subject. Keygraph expressly rejects any conflicting or additional terms in any Customer purchase order, vendor portal, or similar Customer document, which may be used only for Customer's internal accounting purposes.

15.2 Modification of Terms. Keygraph may modify these Terms from time to time. Material modifications require at least 30 days' advance notice by email to the account-administrator email address on file or by prominent notice in the Cloud Service, and take effect on the date stated in the notice or, if no date is stated, 30 days after notice. Customer's continued use of the Cloud Service after the effective date constitutes acceptance of the modified Terms. If Customer rejects a material modification, Customer may terminate its subscription by notice to billing@keygraph.io before the modification takes effect and receive a prorated refund of prepaid Fees for the remainder of the then-current Subscription Period. Non-material modifications (such as clarifications, typographical fixes, or changes required by Applicable Laws) may take effect immediately on posting. The "Last Updated" date identifies the current version. Material adverse changes to incorporated policies, including the Privacy Policy, that materially reduce Customer's rights or materially increase Customer's obligations will be treated as material modifications of these Terms. Changes to the DPA are governed by the DPA's update provisions, and changes to Subprocessors are governed by the DPA's Subprocessor notice and objection process.

15.3 Severability; Waiver. If any provision of this Agreement is held to be unenforceable, the remaining provisions will remain in effect, and the unenforceable provision will be limited or modified only to the extent necessary to make it enforceable. A party's failure to enforce any provision is not a waiver.

15.4 Assignment. Customer may not assign this Agreement or any rights or obligations under it without Keygraph's prior written consent. Keygraph may assign this Agreement on notice to Customer in connection with a merger, acquisition, reorganization, sale of equity, or sale of all or substantially all of Keygraph's assets to which this Agreement relates. Subject to the foregoing, this Agreement binds and benefits the parties and their permitted successors and assigns. Any non-permitted assignment is void.

15.5 Notices. Notices to Keygraph must be sent to Keygraph's Notice Address: Keygraph, Inc., Attn: Legal, 2261 Market Street STE 22013, San Francisco, CA 94114, legal@keygraph.io. Privacy-related inquiries may also be directed to privacy@keygraph.io. Notices to Customer will be sent to the email address associated with Customer's account or to any postal address Customer has provided. Notices are deemed given on confirmed delivery (email or in-app) or two days after deposit with an overnight commercial delivery service.

15.6 Independent Contractors. The parties are independent contractors. Nothing in this Agreement creates a partnership, agency, joint venture, or employment relationship.

15.7 No Third-Party Beneficiaries. There are no third-party beneficiaries of this Agreement, except for the Keygraph indemnified parties described in Section 11.3, who may enforce that Section through Keygraph.

15.8 Force Majeure. Neither party will be liable for any delay or failure to perform (other than payment obligations) caused by events beyond its reasonable control, including natural disasters, war, terrorism, civil unrest, labor disputes, pandemics, governmental orders, or failures of public utilities or third-party infrastructure (each, a "Force Majeure Event"). If a Force Majeure Event prevents the Cloud Service from materially operating for 30 or more consecutive days, either party may terminate the affected subscription and Keygraph will refund prepaid Fees for the remainder of the then-current Subscription Period.

15.9 Resellers. Customer may have procured access to the Cloud Service through an authorized reseller or distributor of Keygraph. Any agreement between Customer and the reseller is separate from and does not modify this Agreement. Keygraph is the sole provider of the Cloud Service under this Agreement, and no reseller is authorized to make warranties, representations, commitments, or modifications on Keygraph's behalf, accept notices for Keygraph, or otherwise bind Keygraph. If Customer procures access to the Cloud Service through a Keygraph-authorized reseller, payment obligations are owed to the reseller as agreed between Customer and reseller, but nonpayment to the reseller may result in suspension or termination of the Cloud Service. Notwithstanding the foregoing, Keygraph remains responsible for providing the Cloud Service in accordance with this Agreement regardless of any payment dispute between Customer and the reseller.

15.10 Publicity. Keygraph may identify Customer as a customer and use Customer's name and logo in promotional materials and on Keygraph's website. Customer may revoke this permission at any time by providing written notice to legal@keygraph.io, after which Keygraph will cease prospective use within thirty (30) days (existing printed materials and archived web content excepted).

15.11 Counterparts; Electronic Signatures. This Agreement may be accepted by clickthrough, electronic signature, or in counterparts, each of which is an original and all of which together constitute one agreement. The parties consent to the use of electronic signatures, and electronic acceptance is binding on both parties to the same extent as a handwritten signature.

15.12 Headings; Interpretation. Section headings are for reference only. "Including" and similar phrases are non-exhaustive. "Days" means calendar days unless otherwise specified.

16. Definitions

In addition to terms defined elsewhere in this Agreement:

  • "Affiliate" means an entity that, directly or indirectly, controls, is controlled by, or is under common control with a party, where "control" means ownership of more than 50% of the voting equity.
  • "Active Developer" means a unique natural person who, during the applicable Lookback Period, contributed code or software artifacts to a Connected Private Repository and who, as of the applicable Measurement Date, remains an active member, collaborator, external collaborator, contractor, consultant, or other authorized user of Customer's connected source code management organization, workspace, project, group, or repository.
  • "AI Output" has the meaning in Section 2.7.
  • "Applicable Data Protection Laws" means the laws governing the processing of Personal Data that apply to a party, including the GDPR, the UK GDPR, the CCPA/CPRA, and other U.S. state privacy laws.
  • "Applicable Laws" means the laws, regulations, court orders, and binding requirements of a relevant government authority that apply to a party.
  • "Beta Feature" has the meaning in Section 1.6.
  • "BYOK" has the meaning in Section 2.6.
  • "Cloud Service" has the meaning in Section 1.1.
  • "Connected Private Repository" means a private, internal, or non-public source code repository for which Customer has enabled, configured, connected, or authorized the Cloud Service to perform code security scanning, secret scanning, dependency scanning, software composition analysis, vulnerability detection, policy checks, or related application-security functionality.
  • "Customer AI Provider" has the meaning in Section 2.6.
  • "Customer Content" has the meaning in Section 2.1.
  • "Customer Personal Data" has the meaning given in the DPA.
  • "Documentation" means the usage and technical documentation Keygraph makes generally available for the Cloud Service.
  • "DPA" has the meaning in Section 2.9.
  • "Effective Date" means the date Customer first accepts this Agreement.
  • "Feedback" has the meaning in Section 2.5.
  • "Fees" has the meaning in Section 5.1.
  • "Force Majeure Event" has the meaning in Section 15.8.
  • "GDPR" means Regulation (EU) 2016/679.
  • "High-Risk Activity" has the meaning in Section 3.3(h).
  • "LLM Services" has the meaning in Section 2.6.
  • "Lookback Period" means the rolling ninety (90) day period immediately preceding the applicable Measurement Date.
  • "Measurement Date" means the date on which Active Developer usage is measured for invoicing, renewal, true-up, usage reporting, or other plan-administration purposes.
  • "Order Date" means the date Customer's subscription begins, as confirmed at signup or in an Order Form.
  • "Order Form" has the meaning in Section 4.2.
  • "Personal Data" has the meaning given in the Applicable Data Protection Laws.
  • "Plan" has the meaning in Section 4.1.
  • "Professional Services" has the meaning in Section 4.3.
  • "Prohibited Data" has the meaning in Section 2.8.
  • "Protected AI Data" has the meaning in Section 2.3.
  • "Renewal Term" has the meaning in Section 5.4(a).
  • "Security Incident" has the meaning in Section 7.2.
  • "Software" means client-side software (such as CLI tools, browser extensions, runners, or other downloadable components) that Keygraph makes available for installation in connection with the Cloud Service.
  • "Sites" means Keygraph's websites, including keygraph.io, keygraph.app, and any other website Keygraph owns or operates that links to these Terms or the Privacy Policy.
  • "SOW" or "Statement of Work" has the meaning in Section 4.3.
  • "Subprocessor" has the meaning given in the DPA.
  • "Subscription Period" means the initial subscription term and each Renewal Term.
  • "Support Materials" has the meaning in Section 7.5.
  • "Target" has the meaning in Section 3.2.
  • "Third-Party Services" has the meaning in Section 2.12.
  • "Usage Data" has the meaning in Section 2.4.
  • "User" has the meaning in Section 1.2.
Provenance & Attribution. These Terms of Service are derived from the Common Paper Cloud Service Agreement Standard Terms v2.1 (https://commonpaper.com/standards/cloud-service-agreement/2.1/), with substantial modifications by Keygraph, Inc. The text of these Terms as published at https://keygraph.io/terms is controlling. The Common Paper source materials are made available under the Creative Commons Attribution 4.0 International License (CC BY 4.0).

Keygraph, Inc. — Notice/Mailing address: 2261 Market Street STE 22013, San Francisco, CA 94114 — legal@keygraph.io