Legal

Terms of service.

Effective 2026-04-28

By using CipherM (the cipherm-scan CLI, the cipherm-tls validator, the public CBOM registry at cipherm.io, or any paid tier when launched) you agree to these terms.

Licenses

  • Scanner CLI — Apache License 2.0. See scanner/LICENSE in the public repository.
  • Detection ruleset — Apache License 2.0.
  • Hosted registry, dashboard, Audit Pack, and Pro features — proprietary; you get a non-exclusive non-transferable right to use them subject to these terms.
  • Public CBOMs you upload — you grant CipherM the non-exclusive right to host, display, and serve them. They appear on the public registry by default; you can mark them unlisted at upload time. We don't claim ownership of your CBOM content.

Acceptable use

You agree not to:

  • Upload CBOMs containing other people's data without authorization
  • Use CipherM to harass, defame, or doxx anyone
  • Use CipherM output as the sole basis for compliance attestation without independent review (the scanner is informational, not authoritative)
  • Volumetric DOS the registry; for heavy testing, run the OSS CLI locally
  • Reverse-engineer, scrape, or rate-limit-circumvent paid endpoints
  • Resell or sublicense access to the hosted registry without prior written consent

No warranty

CipherM is provided "as is." Detection findings may include false positives or false negatives. CipherM does NOT certify your codebase as quantum-safe, NIST-compliant, or audit-ready. The output is informational input to your security and compliance decisions; you and your auditors are responsible for those decisions.

We make a good-faith effort to keep detection rules current with NIST FIPS 203/204/205, CNSA 2.0, and PCI-DSS 4.0 guidance, but we don't guarantee that every relevant standard is reflected at every point in time.

Liability

To the maximum extent permitted by law, CipherM's aggregate liability for any claim related to the service is limited to the amount you paid CipherM in the 12 months preceding the claim. For free tier users, this limit is $100 USD.

Termination

You may stop using CipherM at any time. We may suspend or remove specific CBOMs that violate these terms or that we receive valid takedown requests for, with reasonable notice when feasible.

Changes

We may update these terms. Material changes will be communicated 30 days in advance via the homepage and to waitlist subscribers. Continued use after the effective date constitutes acceptance.

Governing law

These terms are governed by the laws of the State of Georgia, USA, without regard to conflict-of-law principles. Disputes will be resolved in the state or federal courts located in Fulton County, Georgia.

Contact

legal@cipherm.io (alias for the founder inbox).