Software License Agreement
Effective Date: March 30, 2026
Version 1.0
This Software License Agreement ("Agreement") is entered into between VulNinja LLC ("Licensor," "we," "us," or "VulNinja") and the organization or individual executing an Order Form or subscribing to the platform ("Licensee," "you," or "Customer").
By executing an Order Form, clicking "I Agree," or accessing the vul.ninja platform, Licensee agrees to the terms of this Agreement.
1. Definitions
- "Platform" means the vul.ninja cloud security scanning, compliance readiness, and AI-assisted remediation software-as-a-service application, including all features, APIs, dashboards, AI agents, and documentation.
- "Seat" means one (1) unique individual authorized to authenticate to and use the Platform under Licensee's account. A Seat is consumed when a user successfully logs in via Microsoft Entra ID (Azure AD), SSO/SAML, or any other supported authentication method. Each Seat corresponds to a single named person and may not be shared, pooled, or transferred between individuals.
- "Active User" means any individual who has authenticated to the Platform at least once during the applicable billing period.
- "Order Form" means the executed document, purchase order, or online subscription specifying the Licensee's selected plan, Seat count, billing period, and pricing.
- "AI Agents" means the optional Investigation, Remediation, Red Team, and Monitoring AI capabilities available at applicable plan tiers.
- "Subscription Term" means the period specified in the Order Form during which Licensee is licensed to use the Platform (monthly or annual).
2. Grant of License
2.1 License Scope
Subject to the terms of this Agreement and payment of all applicable fees, VulNinja grants Licensee a non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Platform during the Subscription Term, limited to the number of Seats specified in the applicable Order Form.
2.2 Plan Tiers
The Platform is offered under the following plan tiers, each with distinct capabilities and Seat allowances:
| Plan | Starting Price (Monthly) | Starting Price (Annual) | Base Seats | Cloud Connections | AI Agents |
|---|---|---|---|---|---|
| Apprentice | Free | Free | 1 | 1 | None |
| Adept | $149/mo | $134/mo | Up to 5 | 5 | Investigation |
| Master | $289/mo | $260/mo | Up to 10 | 20 | Investigation, Remediation, Red Team |
| Grandmaster | $499/mo | $449/mo | Up to 5 | Unlimited | All (Investigation, Remediation, Red Team, Monitoring) |
Additional Seats beyond the base allocation are available at scaled pricing. The per-Seat cost increases by approximately 10% for each additional tier of 5 users, reflecting increased infrastructure and support requirements. Exact pricing for additional Seats is specified in the Order Form or on the pricing page at vul.ninja/pricing.
2.3 Industry Packages
Licensees in regulated industries may subscribe to Industry Packages, which include all Grandmaster features plus industry-specific compliance automation:
| Package | Starting Price (5 Seats, Monthly) | Key Compliance Frameworks |
|---|---|---|
| Defense | $3,500/mo | CMMC, NIST SP 800-171, POA&M |
| Healthcare | $3,500/mo | HIPAA Security Rule, PHI Protection |
| SaaS | $5,000/mo | SOC 2 Type II, Trust Center |
| Financial Services | $7,000/mo | PCI-DSS Level 1, CDE Monitoring |
| E-commerce | $5,000/mo | PCI-DSS, GDPR/CCPA, Trust Badges |
All Industry Packages include Investigation and Remediation AI agents. Red Team and Monitoring AI agents are available as an add-on at $1,000/month. Organizations requiring more than 30 Seats must contact VulNinja for custom enterprise pricing.
3. Seat Licensing and Enforcement
3.1 Per-Seat Model
Licensing is strictly per-Seat. Each individual who accesses the Platform — whether to run scans, view results, approve AI agent actions, generate reports, or perform any other function — must be assigned a licensed Seat. There is no "concurrent user" or "floating license" model.
3.2 Seat Assignment
Seats are assigned to named individuals based on their authentication identity (Microsoft Entra ID user principal name, SSO identity, or email address). A Seat may not be shared between individuals. If an employee leaves the organization, their Seat may be reassigned to a replacement individual at no additional charge.
3.3 Seat Counting and Verification
VulNinja determines Seat consumption by counting unique authenticated users within the Licensee's organization during each billing period. VulNinja reserves the right to verify Seat counts through:
- Platform telemetry: Automated tracking of unique authenticated users via the Platform's identity and access management system.
- Azure AD / Entra ID verification: Cross-referencing active users against the Licensee's Microsoft Entra ID tenant directory, where the Licensee has integrated SSO/SAML authentication.
- Audit requests: Written requests for the Licensee to provide a list of individuals who have accessed the Platform during a given period.
3.4 Overage
If the number of Active Users exceeds the licensed Seat count at any point during a billing period, VulNinja will notify the Licensee in writing. The Licensee must either:
- Purchase additional Seats at the applicable tier pricing within fifteen (15) business days; or
- Reduce the number of Active Users to the licensed Seat count within fifteen (15) business days.
If the Licensee fails to cure the overage within the fifteen (15) business day notice period, VulNinja may:
- Invoice the Licensee retroactively for the additional Seats at 1.5x the applicable per-Seat rate, backdated to the first day the overage was detected;
- Restrict new user logins until the Seat count is reconciled; or
- Suspend the Licensee's account upon thirty (30) days' written notice.
3.5 Annual True-Up
For annual subscriptions, a Seat true-up reconciliation occurs at each renewal. The Licensee's renewal Seat count will be set to the greater of (a) the originally contracted Seat count, or (b) the peak Active User count observed during the prior Subscription Term. The Licensee will be invoiced accordingly at the then-current pricing.
4. Usage Restrictions
4.1 Prohibited Uses
Licensee shall not:
- Allow any individual to access the Platform who is not assigned a licensed Seat;
- Share login credentials or authentication tokens between individuals;
- Use automated tools or scripts to multiplex a single Seat across multiple users;
- Create service accounts or bot accounts for the purpose of circumventing Seat limits;
- Reverse engineer, decompile, disassemble, or create derivative works of the Platform;
- Resell, sublicense, lease, or otherwise distribute access to the Platform to any third party;
- Use the Platform to scan cloud environments that Licensee does not own or have explicit authorization to scan;
- Use AI agent features for purposes unrelated to security analysis of Licensee's own infrastructure;
- Exceed the cloud connection limits of the subscribed plan tier.
4.2 Responsibility for Users
Licensee is responsible for the actions of all individuals who access the Platform under its account. Licensee shall ensure that all users comply with this Agreement and shall promptly deactivate access for any individual whose employment or engagement with Licensee has ended.
5. AI Agent Terms
5.1 Availability
AI Agents are available only on plan tiers that include them (see Section 2.2). Use of AI Agents on plans that do not include them constitutes a material breach.
5.2 Human-in-the-Loop Requirement
All AI Agent actions that modify cloud infrastructure require explicit human approval before execution. VulNinja's AI Agents will never make changes without Licensee authorization. Licensee acknowledges that:
- AI recommendations are guidance, not guarantees;
- Licensee is responsible for reviewing and approving all AI-proposed actions;
- VulNinja is not liable for any consequences of AI-recommended actions that the Licensee approves and executes;
- Automated remediation includes a 30-day rollback window.
6. Data Rights and Security
6.1 Customer Data Ownership
All scan results, findings, reports, compliance documentation, and other data generated through Licensee's use of the Platform ("Customer Data") belong exclusively to the Licensee. VulNinja claims no ownership of Customer Data.
6.2 Data Processing
VulNinja processes Customer Data solely to provide the Platform services. Security findings are sanitized before AI processing — sensitive identifiers are redacted automatically. VulNinja may use aggregated, anonymized, and de-identified data for service improvement and industry benchmarking.
6.3 Cloud Access
VulNinja accesses Licensee's cloud environments exclusively through read-only IAM roles (AWS), service principals (Azure), or service accounts (GCP) configured by the Licensee. VulNinja does not access application data, customer data, workload contents, or any data beyond cloud configuration metadata required for security scanning.
6.4 Data Retention
Scan history is retained according to the Licensee's plan tier (7 days for Apprentice, 30 days for Adept, 90 days for Master, 365 days for Grandmaster and Industry Packages). Upon termination, Customer Data is deleted within thirty (30) days unless legally required to be retained.
7. Fees and Payment
7.1 Pricing
Fees are as specified in the Order Form or the pricing page at the time of subscription. Annual billing provides a 10% discount over monthly billing. All fees are quoted in United States Dollars (USD) and are exclusive of applicable taxes.
7.2 Payment Terms
Monthly subscriptions are billed in advance on the first day of each billing period. Annual subscriptions are billed in advance for the full Subscription Term. Payment is due within thirty (30) days of invoice for enterprise customers with executed Order Forms, or immediately upon subscription for self-service customers.
7.3 Late Payment
Overdue invoices accrue interest at a rate of 1.5% per month (or the maximum rate permitted by law, whichever is less). VulNinja may suspend access to the Platform if payment is more than thirty (30) days overdue after written notice.
7.4 Price Changes
VulNinja may adjust pricing upon sixty (60) days' written notice. For annual subscribers, price changes take effect at the next renewal. Licensee may terminate without penalty if a price increase exceeds 15% of the prior Subscription Term's fees.
8. Term and Termination
8.1 Term
This Agreement commences on the Effective Date and continues for the Subscription Term specified in the Order Form. Annual subscriptions automatically renew for successive one-year terms unless either party provides written notice of non-renewal at least thirty (30) days before the end of the then-current term.
8.2 Termination for Cause
Either party may terminate this Agreement immediately upon written notice if:
- The other party materially breaches this Agreement and fails to cure within thirty (30) days of written notice;
- The other party becomes insolvent, files for bankruptcy, or ceases operations.
8.3 Termination for Convenience
Monthly subscribers may terminate at any time; the subscription remains active through the end of the current billing period. Annual subscribers may terminate with ninety (90) days' written notice; no pro-rata refunds are provided unless otherwise specified in the Order Form.
8.4 Effect of Termination
Upon termination:
- All user access is revoked immediately;
- Licensee may export Customer Data for up to thirty (30) days following termination;
- Cloud credentials stored by VulNinja are deleted immediately;
- Customer Data is deleted within thirty (30) days;
- All outstanding fees become immediately due and payable.
9. Warranties and Disclaimers
9.1 VulNinja Warranties
VulNinja warrants that:
- The Platform will materially conform to the documentation during the Subscription Term;
- VulNinja will use commercially reasonable security measures to protect Customer Data;
- VulNinja has the authority to grant the rights described in this Agreement.
9.2 Disclaimer
EXCEPT AS EXPRESSLY SET FORTH IN SECTION 9.1, THE PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE." VULNINJA DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. VULNINJA DOES NOT WARRANT THAT THE PLATFORM WILL DETECT ALL SECURITY VULNERABILITIES, THAT AI RECOMMENDATIONS WILL BE ERROR-FREE, OR THAT THE PLATFORM WILL OPERATE WITHOUT INTERRUPTION.
10. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY'S TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT EXCEED THE TOTAL FEES PAID OR PAYABLE BY LICENSEE DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY.
IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF DATA, LOSS OF PROFITS, OR BUSINESS INTERRUPTION, REGARDLESS OF THE THEORY OF LIABILITY.
11. Indemnification
11.1 VulNinja Indemnification
VulNinja shall indemnify, defend, and hold harmless Licensee from third-party claims alleging that Licensee's authorized use of the Platform infringes a third party's intellectual property rights, provided Licensee gives prompt notice and reasonable cooperation.
11.2 Licensee Indemnification
Licensee shall indemnify, defend, and hold harmless VulNinja from third-party claims arising from (a) Licensee's breach of this Agreement, (b) Licensee's use of the Platform to scan environments Licensee is not authorized to scan, or (c) Licensee's unauthorized modification of cloud infrastructure based on AI recommendations.
12. Compliance and Audit Rights
12.1 Compliance Obligation
Licensee shall use the Platform in compliance with all applicable laws, regulations, and industry standards, including but not limited to CMMC, NIST SP 800-171, HIPAA, PCI-DSS, SOC 2, GDPR, and CCPA as applicable to Licensee's industry and jurisdiction.
12.2 Audit Rights
VulNinja may audit Licensee's use of the Platform no more than once per twelve (12) months during the Subscription Term and for twelve (12) months following termination, upon thirty (30) days' written notice, to verify compliance with the Seat limits and usage restrictions of this Agreement. Audits will be conducted during normal business hours with reasonable advance coordination. If an audit reveals a material underpayment (exceeding 5% of fees owed), Licensee shall bear the reasonable costs of the audit in addition to paying the underpaid amounts.
13. Confidentiality
Each party agrees to hold the other party's Confidential Information in strict confidence and not to disclose it to any third party except as required to perform obligations under this Agreement or as required by law. Confidential Information includes pricing terms, security findings, technical architecture, and business strategies disclosed under this Agreement. Confidential Information does not include information that is publicly available, independently developed, or rightfully received from a third party.
14. Government Contracts
For Licensees that are U.S. Government contractors or subcontractors, the following additional terms apply:
- The Platform is commercial computer software as defined in DFARS 252.227-7014 and FAR 2.101;
- Use, duplication, and disclosure are subject to the restrictions in this Agreement and applicable federal regulations;
- VulNinja will cooperate with Licensee's compliance obligations under DFARS, FAR, NIST SP 800-171, and CMMC requirements as applicable to VulNinja's role as a service provider;
- VulNinja acknowledges that Licensee may be subject to ITAR, EAR, or other export control regulations and will not knowingly process Controlled Unclassified Information (CUI) unless the applicable Industry Package (Defense) is in effect and appropriate safeguards are documented in the Order Form.
15. Governing Law and Dispute Resolution
15.1 Governing Law
This Agreement is governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to conflict of laws principles.
15.2 Dispute Resolution
Any dispute arising under this Agreement shall first be escalated to senior management of both parties for resolution within thirty (30) days. If unresolved, disputes shall be submitted to binding arbitration under the rules of the American Arbitration Association, conducted in English in a mutually agreed location. Each party bears its own costs unless the arbitrator determines otherwise. Either party may seek injunctive relief in any court of competent jurisdiction to prevent irreparable harm.
16. General Provisions
16.1 Entire Agreement
This Agreement, together with any executed Order Forms and the Privacy Policy at vul.ninja/privacy, constitutes the entire agreement between the parties and supersedes all prior agreements, proposals, and representations.
16.2 Amendments
VulNinja may update this Agreement with sixty (60) days' written notice. Continued use after the notice period constitutes acceptance. For enterprise customers with executed Order Forms, amendments require mutual written consent.
16.3 Severability
If any provision is held unenforceable, the remaining provisions remain in full force and effect.
16.4 Assignment
Neither party may assign this Agreement without the other party's prior written consent, except in connection with a merger, acquisition, or sale of substantially all assets, provided the assignee agrees to be bound by this Agreement.
16.5 Force Majeure
Neither party is liable for delays or failures caused by events beyond its reasonable control, including natural disasters, government actions, pandemics, cyberattacks on third-party infrastructure, or widespread internet outages.
16.6 Notices
All notices under this Agreement shall be in writing and sent to the addresses specified in the Order Form, or to legal@vul.ninja for notices to VulNinja.
16.7 Waiver
Failure to enforce any provision does not constitute a waiver of that provision or any other provision.
Contact
For questions about this Agreement, licensing, or enterprise pricing, contact us:
- Email: legal@vul.ninja
- Sales: sales@vul.ninja
- Web: vul.ninja/get-started