Skip to main content
Surfbotsurfbot

Terms of Service

Last updated: February 27, 2026

These Terms of Service (“Terms”) govern your access to and use of Surfbot (“Service”), operated by Surfbot Inc. (“Company”, “we”, “us”).

By creating an account or using the Service, you agree to these Terms.

1. Service Description

Surfbot is an external attack surface management (EASM) platform that discovers and monitors publicly accessible assets associated with domains you configure. All scanning is performed externally — we do not install agents, require network access, or use your credentials.

2. Account Registration

You must provide accurate information when creating an account. You are responsible for maintaining the security of your account credentials. You must be at least 16 years old and have the authority to bind your organization to these Terms.

3. Acceptable Use

You agree to:

  • Only scan domains you own or are authorized to scan. By adding a domain to Surfbot, you represent and warrant that you have legal authority over that domain or explicit written permission from the domain owner.
  • Use the Service only for lawful purposes and in compliance with applicable laws.
  • Not attempt to reverse-engineer, decompile, or extract source code from the Service.
  • Not use the Service to conduct attacks, exploit vulnerabilities, or harm third parties.
  • Not resell, sublicense, or redistribute scan data without our written consent.

Violation of acceptable use may result in immediate account termination without refund.

4. Domain Ownership Verification

We reserve the right to require domain ownership verification (e.g., DNS TXT record, meta tag, or similar mechanism) before scanning commences. By adding a domain, you authorize Surfbot to perform external reconnaissance scanning against that domain and its subdomains.

5. Scan Authorization

By using Surfbot, you explicitly authorize us to:

  • Perform DNS enumeration, port scanning, and web fingerprinting against your configured domains and their discovered subdomains.
  • Store and process the results of these scans.
  • Send you notifications about findings.

You acknowledge that scanning generates network traffic to your infrastructure and you accept responsibility for ensuring this is permitted under your own policies and applicable law.

6. Data Ownership

  • Your data: You retain all rights to your scan results, configurations, and account data. We do not claim ownership of your data.
  • Our service: We retain all rights to the Surfbot platform, algorithms, scanning technology, and aggregated/anonymized insights.

7. Service Availability

We aim for high availability but do not guarantee uninterrupted service. We may perform maintenance with reasonable notice. We are not liable for downtime caused by factors outside our control.

8. Payment and Billing

  • Paid plans are billed monthly or annually as selected.
  • All fees are non-refundable except as required by law.
  • We may change pricing with 30 days' notice.
  • Failure to pay may result in service suspension or termination.

9. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

  • THE SERVICE IS PROVIDED “AS IS” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
  • SURFBOT DOES NOT GUARANTEE THAT SCANS WILL DETECT ALL VULNERABILITIES, ASSETS, OR SECURITY ISSUES.
  • IN NO EVENT SHALL SURFBOT'S TOTAL LIABILITY EXCEED THE AMOUNT YOU PAID FOR THE SERVICE IN THE 12 MONTHS PRECEDING THE CLAIM.
  • SURFBOT SHALL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, DATA, OR BUSINESS OPPORTUNITIES.

10. Indemnification

You agree to indemnify and hold harmless Surfbot from any claims, damages, or expenses arising from: (a) your violation of these Terms, (b) your scanning of domains you are not authorized to scan, (c) your use of scan results, or (d) your violation of applicable law.

11. Responsible Disclosure

If you discover a security vulnerability in the Surfbot platform itself, please report it to [email protected]. We ask that you:

  • Not publicly disclose the vulnerability until we have addressed it.
  • Provide reasonable detail to help us reproduce the issue.
  • Not access or modify other users' data.

We commit to acknowledging reports within 48 hours and providing a timeline for remediation. We do not pursue legal action against good-faith security researchers.

12. Termination

  • By you: You may cancel your account at any time from your dashboard.
  • By us: We may suspend or terminate accounts that violate these Terms, with or without notice depending on severity.

Upon termination, your data will be retained for 30 days, then deleted.

13. Changes to Terms

We may update these Terms. Material changes will be communicated via email at least 30 days before they take effect. Continued use after changes constitutes acceptance.

14. Governing Law

These Terms are governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. Disputes shall be resolved in the courts of Delaware.

15. Contact

For legal questions: [email protected]

For privacy questions: [email protected]

For security reports: [email protected]