Back to Home

Terms of Service

How UnveilScan operates and the responsibilities of users running scans through it.

1. Acceptance of Terms

By accessing or using the UnveilScan platform (the "Services") operated by Unveil Technology ("we," "our," "us"), you agree to comply with and be bound by these Terms of Service ("Terms"). If you do not agree, do not use the Services.

Last updated: June 2026.

2. The Services

UnveilScan is a web-based passive security audit platform that scores domains on 100 across DNS, TLS, web headers, email authentication and quality. It also offers an Recon profile for external attack-surface management. The Services include the web console, the REST API, the CLI, the GitHub Action, and any related tooling. We may modify, suspend, or discontinue any aspect of the Services at any time, with reasonable notice for paying users.

3. Accounts

  • You must provide a valid email address. Email verification is required before launching Extended, Probe or Recon scans.
  • You are responsible for the confidentiality of your password and 2FA recovery codes.
  • You are responsible for all activity under your account, including scans launched via API tokens you have generated.
  • One natural person, one account — do not share credentials.

4. Scan Profiles — Passivity Contract

UnveilScan offers four scan profiles, each with a clearly defined behaviour:

  • Basic — strictly passive. DNS lookups, TLS handshake, plain HTTP GETs on standard endpoints, public sources only. Equivalent in interaction level to a browser visit. Login required, no domain-ownership gate.
  • Extended — strictly passive, deeper checks (CT logs enumeration, OSV.dev cross-reference, well-known path probes). Login + domain ownership verification (DNS TXT or /.well-known/) required.
  • Probe — sends crafted but non-destructive detection-only probes (e.g. CVE-2021-41773 path-traversal canary). Triple-gated: ownership verified and the request body must contain "ack_active_probes": true and the probe payloads must be read-only with publicly documented signatures. No fuzzing, no brute force, no exploitation.
  • Recon — passive external attack-surface discovery (CT logs, DNS resolution, public cloud bucket existence checks, GitHub code search). Login + domain ownership required.

5. Acceptable Use

You agree NOT to:

  • Use the Services to scan a domain you do not own or for which you do not have explicit authorization (Extended / Probe / Recon profiles enforce this via the ownership gate; for Basic, you must still respect the law of the jurisdictions involved).
  • Use the Services as part of a coordinated denial-of-service attack against a target.
  • Attempt to reverse-engineer, copy, or resell the Services or their output beyond what these Terms allow.
  • Bypass rate limits or use multiple accounts to circumvent plan quotas.
  • Use the Services to facilitate unauthorized access, data exfiltration, or any criminal offence under articles 323-1 to 323-7 of the French Code pénal.
  • Attempt to misuse the Probe profile by deliberately providing false ownership proof.

We reserve the right to suspend or terminate any account engaged in such activity and to cooperate with judicial authorities upon valid request.

6. Plans and Pricing

The Services are offered under a transparent pay-once model. Pricing is published on unveilscan.com/pricing. There is no subscription, no auto-renewal, and no surprise charge a year later.

  • Free — unlimited Basic scans (17 checkers) on any domain, 3 Extended scans per month, public consent-gated badge, score history, HTML / PDF / JSON / CSV reports.
  • 5 domains for 1 year — $299 one-time — pin up to 5 domains, unlimited Extended scans (87 checkers) and Probe scans (89 checkers, triple-gated CVE probes) on those pinned domains, 365-day access from purchase date.
  • 10 domains for 1 year — $539 one-time — same as above with 10 pinned domains.
  • Stackable — you may purchase additional licenses to add more slots (e.g. two 5-domain licenses = 10 simultaneous slots). Each license has its own independent 365-day clock starting from its purchase date.
  • Enterprise — white-label, SSO, on-premise deployment, dedicated SLA — contact us for a tailored quote.

Prices are exclusive of VAT. Payments are processed by Stripe (cards, Apple Pay, Google Pay, SEPA). Once a scan has been launched against a pinned domain, the corresponding license is non-refundable. Approximately 30 days before a license expires, we will notify you by email so you can decide whether to renew. After expiry, your pinned domains revert to the Free tier (3 Extended/month, no Probe); your account, history and configuration are preserved — you may purchase a new license at any time and your domains will be automatically re-pinned without re-doing setup.

To swap a pinned domain during the active period of a license, please contact [email protected] — we will release the slot for you. Self-service slot management is planned for a future console update.

7. Quotas and Rate Limits

API endpoints are rate-limited (10 requests/second on auth endpoints per IP, 30 requests/second per user-or-IP on authenticated endpoints, with bursts). Exceeding the rate limit returns HTTP 429. Plan-specific scan quotas apply. We will not silently downgrade your service without notice.

8. Intellectual Property

The UnveilScan platform, its source code, the checker logic, the curated remediation snippets, the compliance mapping table, and all related documentation are owned by Unveil Technology or its licensors. The output of a scan run on a domain you own is yours to use, redistribute, and embed in your reports. The public consent-gated badge SVG is provided under the same terms (free reuse, no warranty).

9. Disclaimer of Warranties

The Services are provided "as is" and "as available." A passing UnveilScan score does not imply that the scanned domain is free of vulnerabilities; it reflects the absence of issues across the 91 checkers we currently run. Likewise, a low score does not imply imminent compromise. We make no warranty regarding the absolute reliability, security, or availability of the Services or the accuracy of every finding.

10. Limitation of Liability

To the maximum extent permitted by law, Unveil Technology shall not be liable for any indirect, incidental, special, or consequential damages, loss of data, profits, or business opportunities arising from the use or inability to use the Services. Direct damages, if any, shall not exceed the amount paid by you for the Services in the twelve (12) months preceding the event giving rise to the claim.

11. Indemnification

You agree to indemnify and hold Unveil Technology harmless from any third-party claims arising from your violation of these Terms, your misuse of the Services, or any scan you have launched against a target you did not own or were not authorised to scan.

12. Termination

You may terminate your account at any time from the security page of the console. We may terminate or suspend your account for breach of these Terms, with reasonable notice except in cases of severe misuse (denial-of-service, scanning unauthorized targets) where suspension is immediate. Upon termination, scan history, schedules, alerts and audit log entries are removed within 30 days, except for billing records retained per French Code de commerce art. L123-22.

13. Governing Law & Disputes

These Terms are governed by the laws of France. Any disputes shall be resolved in the competent courts of Paris, France, unless mandatory consumer-protection rules of your country of residence apply.

14. Modifications to Terms

We may update these Terms as the product and applicable regulations evolve. Significant changes will be communicated to active users by email at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.