Terms of Service.

1. About us

AttackEdge is operated by ArmoniaLabs (sole trader, registered business name "ArmoniaLabs"), ABN 81 392 893 669, with registered address at Sydney, NSW, Australia. In these terms, "we", "us" and "our" mean ArmoniaLabs. "You" means the person or organisation using the service.

For contact about these terms, email legal@attackedge.io.

2. What the service is

AttackEdge is an external attack-surface scanning service, delivered as a subscription billed through Stripe. We collect information about internet-facing systems you nominate, analyse that information with automated tools and AI, and present findings in the app and in a downloadable report. The full scope of what we check, and what we deliberately do not do, is listed on our methodology page. That methodology page is incorporated by reference into these terms.

What the service is not: a penetration test, a PCI DSS ASV scan, an audit of your internal network or cloud tenants, a SIEM or EDR replacement, or a substitute for legal, compliance, or insurance advice.

3. Your account

You need an account to add scopes, run scans, and access reports. You are responsible for keeping your credentials secure and for all activity that happens under your account. Tell us at security@attackedge.io if you suspect unauthorised access.

You must be at least 18 and able to enter a binding contract. If you are using AttackEdge on behalf of an organisation, you warrant you have authority to bind that organisation.

4. Scanning authorisation (important)

4.1 Authorisation.You authorise us to perform vulnerability scanning of every Target System you add to the service. "Target System" means a domain, subdomain, IP address, IP range, hosted service URL, or other internet-facing system you nominate inside a scope.

4.2 Your warranty. You warrant and represent that, for each Target System you add, you have and will maintain at all times during your use of the service all necessary rights, permissions, authorisations, and consents from the legal owner or licensor of that Target System to permit us to perform vulnerability scanning, including active scanning techniques such as port scanning, service detection, and vulnerability probing.

4.3 Criminal exposure. You acknowledge that unauthorised scanning of computer systems may constitute an offence under sections 477 and 478 of the Criminal Code Act 1995 (Cth), the United States Computer Fraud and Abuse Act, the United Kingdom Computer Misuse Act 1990, and equivalent statutes in other jurisdictions. You accept sole responsibility for ensuring your authorisation is valid and current.

4.4 Indemnity. You indemnify us against any claim, action, loss, damage, cost, or expense (including legal costs on a solicitor-client basis) arising from a Target System being added or scanned in breach of clause 4.2.

4.5 Sensitive-target carve-out. You will not add, without first obtaining our prior written approval: (a) Target Systems belonging to Australian Federal, State, or Territory government bodies; (b) entities classified as critical infrastructure under the Security of Critical Infrastructure Act 2018 (Cth); or (c) financial institutions, telecommunications carriers, or healthcare providers. To request approval, contact hello@attackedge.io with the asset owner's authorisation and contact details.

4.6 Suspension and abuse process. We may suspend scanning of any Target System on receipt of a credible third-party complaint, pending verification of your authorisation. Suspected misuse can be reported to security@attackedge.io and we aim to action complaints within one business day.

4.7 Optional written authorisation. Where the in-app attestation is not sufficient for your situation (consultant or MSP engagements, IP ranges without a single web service, audit requirements, or any case where the asset owner is not the account holder), the scan authorisation form at attackedge.io/authorize-scan records a stronger written authorisation. Use of that form is not a precondition for scanning under these terms; clauses 4.1–4.6 are.

5. Plans and pricing

AttackEdge is sold as Solo and SMB subscriptions, a contact-sales MSP tier, one-off Snapshot reports, and one-off scan packs. Subscriptions are billed monthly or annually through Stripe. The currency you see at signup is the currency you are charged in for the life of that subscription, in either Australian Dollars (AUD) or US Dollars (USD). The applicable rate is the rate published on our pricing page at the time you subscribe or buy a one-off item. Stripe processes every charge; we do not see or store your full card details.

5.1 What is included. Solo includes 15 scan units per billing cycle. SMB includes 50 scan units per billing cycle. One scan unit is one active-probe pass against one host. Continuous discovery (subdomain enumeration, DNS, TLS inventory, email-authentication checks) is included on monitored assets and does not consume scan units.

5.2 Annual billing. Annual subscriptions are charged upfront for 12 months at the monthly rate multiplied by ten (the equivalent of two months free over the year). You can switch between monthly and annual billing any time through the Stripe billing portal; Stripe handles the dollar proration.

5.3 Quota does not roll over. The included scan-unit allowance resets at the start of each billing cycle. Any unused portion of the cycle quota expires when the cycle ends.

5.4 Smart and Custom modes. Smart mode allocates the included scan quota across the cycle automatically based on platform-side priority signals. Custom mode lets you pin specific hosts to a cadence and reserve up to 50% of the cycle quota for manual scans you trigger yourself. The mode is a setting on your account; either mode draws from the same monthly quota.

5.5 Assets. Asset count is not the billing meter. You can add monitored assets as your footprint changes; available scan units determine how often those assets can be actively scanned.

5.6 Scan packs. A scan pack is a one-off Stripe Checkout purchase that adds 10 scan units to the current billing cycle. Scan packs are not subscriptions, do not auto-renew, and do not roll over to the next cycle. Scan packs are non-refundable. Any unused scan-pack units expire when the current cycle ends.

5.7 Pricing changes. We may change our published pricing at any time for new purchases. Changes do not affect a subscription already in an active billing period; the new rates apply at the next renewal.

6. Refunds

Our refund policy is written out separately at attackedge.io/refund and is incorporated into these terms. In short:

• You can cancel a subscription any time from the Stripe billing portal. Cancellation stops future charges; the current billing period is not refunded.
• Scan packs are one-off purchases and are non-refundable. Unused scan-pack units expire at the end of the current billing cycle.
• Exceptional refunds (billing errors, duplicate charges, a service we could not deliver) are handled manually over email to hello@attackedge.io.
• These arrangements are in addition to, and do not limit, any statutory right you have under the Australian Consumer Law or an equivalent law that applies to you (see section 9).

7. Acceptable use

Your use of AttackEdge is bound by our Acceptable Use Policy, which covers target ownership, prohibited uses, and responsible disclosure. Breach of that policy may result in immediate suspension or termination of your account.

8. Subscription lifecycle and access after cancellation

When a subscription ends (whether through customer cancellation, non-payment after Stripe's standard retry period, or chargeback), your account moves through a defined lifecycle:

• Read-only for 90 days. You can sign in, view existing reports and findings, and export them to CSV or PDF. New scans are paused, integrations stop writing out, and retests are unavailable. You can reactivate the subscription at any time through the Stripe billing portal.
• Locked from day 90 to day 365. Sign-in continues to work, but the only screen available is a reactivate-or-delete screen. Findings and exports are not visible during this window. You can still reactivate.
• Purged at one year. One year from the date the subscription ended, scans, findings, hosts, scopes, AI reports, and quota records are deleted. Your auth record and historical Stripe invoice access are retained so you can still log in and download invoices, but the scan data itself is gone and cannot be recovered.

Reactivating the subscription at any point in this lifecycle clears the timers and returns the account to active status. Purge is irreversible; once it runs, the data cannot be restored.

If you want your account and scan history deleted before the end of the read-only window, email hello@attackedge.io from the email address on your account and we will action it within seven days.

9. Consumer guarantees

If you are a "consumer" within the meaning of the Australian Consumer Law (Schedule 2 to the Competition and Consumer Act 2010 (Cth)), nothing in these terms excludes, restricts, or modifies any consumer guarantee, right, or remedy that cannot be lawfully excluded. Where it is fair to do so, our liability for breach of those non-excludable guarantees is, to the extent permitted by law, limited to either resupplying the service or refunding the price paid.

Customers in the United Kingdom, European Union, and elsewhere retain equivalent statutory rights under their local law. Those rights are preserved.

10. Service levels and support

Our published support hours, response targets, and channels are set out on the support page. Those targets are non-binding outside the consumer guarantees referred to in section 9: they describe how we work, not contractual penalties. Where the service fails to meet a non-excludable guarantee, your statutory remedies apply regardless of the published targets.

If we fail to deliver the service materially as described for more than seven consecutive days inside a billing period, the pro-rata credit process described in the Refund Policy section 7 applies.

11. Our warranties

We will provide the service with reasonable care and skill, using industry-recognised tools and techniques. We do not guarantee that scans will find every vulnerability that exists in your systems, or that fixing every finding in our report will make your systems secure. Attack-surface scanning is one piece of a broader security posture.

12. Limitation of liability

To the maximum extent permitted by law, and subject to section 9 above, our total liability to you for any claim arising out of or in connection with your use of the service is limited to the amount you paid us in the twelve months preceding the event giving rise to the claim. We are not liable for indirect, consequential, special, or incidental loss, including loss of profit, loss of data, business interruption, or reputational harm, even if such loss was foreseeable.

13. Your indemnity

You agree to indemnify us against any claim, cost, loss, or damage we suffer arising from:

• Targets you submitted that you did not own or have authority to scan.
• Your breach of these terms or our Acceptable Use Policy.
• Your unlawful or negligent conduct in connection with the service.

14. Termination

Either of us can terminate at any time. You can cancel your subscription from the Stripe billing portal at any time, or close your account by emailing hello@attackedge.io. We may suspend or terminate your account immediately if you breach these terms or our Acceptable Use Policy.

On termination, the lifecycle described in section 8 applies. See our Privacy Policy for the related retention specifics.

15. Changes to these terms

We may update these terms from time to time. If a change materially affects your rights or obligations, we will notify you by email or through the product before the change takes effect. Your continued use of the service after notice means you accept the updated terms. You can always see the current version on this page.

16. Governing law and jurisdiction

These terms are governed by the laws in force in New South Wales, Australia. You and we submit to the exclusive jurisdiction of the courts of New South Wales and the courts competent to hear appeals from those courts.

If you are outside Australia, this choice of law and forum still applies. You may have additional rights under your local consumer-protection law that cannot be waived by contract; those rights are preserved.

17. General

Entire agreement: these terms together with the Privacy Policy, Refund Policy, Acceptable Use Policy, and methodology page are the complete agreement between us.

Severability: if any provision is held unenforceable, the rest remain in force.

No waiver: our failure to enforce a provision is not a waiver of it.

Assignment: you may not assign these terms without our written consent. We may assign these terms to a successor entity.

18. Contact

Questions about these terms: legal@attackedge.io. General questions: hello@attackedge.io.