Terms of Use

Last updated: March 2026

1. Scope and Provider

These Terms of Use govern your access to and use of Supasec ("Service"), a security scanning and monitoring platform operated from Germany.

By accessing or using our Service, you agree to be bound by these Terms. If you do not agree to these Terms, please do not use the Service.

Provider:
Supasec , a brand of kaion.ventures
Christian Schulze
Bethmannstr. 8
60311 Frankfurt
Germany
Email: support@supasec.co

2. Description of Service

Supasec provides automated security assessments for publicly deployed web applications, with a focus on applications built on Supabase and similar backend-as-a-service platforms.

The Service includes:

• Automated scanning of publicly accessible endpoints, headers, and client-side code
• Detection of misconfigured access policies, exposed credentials, and open endpoints
• Security reports with findings and suggested remediation prompts
• Ongoing monitoring for newly introduced vulnerabilities

The Service is provided "as is" and "as available" without any guarantees regarding the completeness or accuracy of scan results.

3. Nature and Lawfulness of Scans

3.1 Passive, Non-Invasive Scanning

Our scans are limited to information that is publicly accessible. Specifically, the Service:

• Sends standard HTTP requests to publicly available endpoints, equivalent to what any web browser or search engine crawler performs
• Inspects client-side source code, JavaScript bundles, and network responses that are served to any visitor of the scanned application
• Queries publicly exposed APIs using only publicly available keys (e.g. Supabase anon keys embedded in client-side code)
• Checks HTTP response headers, security configurations, and publicly enumerable paths

3.2 What the Service Does NOT Do

The Service does not:

• Circumvent, bypass, or override any access controls or authentication mechanisms
• Attempt to log in using discovered credentials or tokens
• Access, modify, delete, or exfiltrate any user data or protected data
• Perform denial-of-service testing or stress testing
• Exploit discovered vulnerabilities in any way
• Intercept non-public data transmissions

Our scanning methodology is designed to remain within the bounds of publicly observable information and does not constitute unauthorized access to data within the meaning of § 202a StGB (German Criminal Code), as no access controls are circumvented and no protected data is accessed.

3.3 Unsolicited Scans

The Service may scan publicly deployed applications without prior authorization from the application owner. These scans are limited to publicly accessible information as described in Section 3.1 and do not constitute penetration testing.

When we identify potential security issues, we may contact application owners to share findings. This outreach is informational in nature and intended to help application owners identify and resolve security risks. Recipients are under no obligation to engage with or respond to our communications.

3.4 Compliance with German Law

The Service is operated in accordance with German law, including:

• § 202a StGB (Data Espionage): Our scans do not access data that is protected against unauthorized access, nor do we circumvent any access protections. All data assessed by the Service is publicly served by the scanned application to any requesting client.
• § 202b StGB (Data Interception): The Service does not intercept non-public data transmissions. All assessed data is obtained through standard, publicly available HTTP communication.
• § 303a StGB (Data Alteration): The Service does not modify, delete, or alter any data on scanned systems. All interactions are strictly read-only.
• UWG (Unfair Competition Act): Outreach communications are informational and provide genuine value to recipients. We do not engage in misleading or deceptive commercial practices.
• GDPR / DSGVO: Any personal data encountered during scans (e.g. publicly exposed email addresses) is processed solely for the purpose of security reporting and is handled in accordance with our Privacy Policy and applicable data protection law.

4. Account Registration

To access scan reports, monitoring, and remediation features, you must create an account. You agree to:

• Provide accurate and complete registration information
• Maintain the security of your account credentials
• Accept responsibility for all activities under your account
• Notify us immediately of any unauthorized access

We reserve the right to suspend or terminate accounts that violate these Terms.

5. Subscription and Pricing

Supasec uses a credit-based pricing model. Each plan includes a monthly or one-time credit allocation. Scans, re-scans, and agent actions consume credits from your balance.

Plans

We offer recurring monthly plans (Starter, Agent) and a one-time plan (Due Diligence) with time-limited access. Plan details and credit amounts are listed on our pricing page.

Credits

Credits are allocated per billing cycle for monthly plans. Unused credits do not roll over. One-time plans include a fixed credit allocation valid for the access period.

Pricing Changes: We reserve the right to modify pricing at any time. Changes for existing subscriptions take effect at the next billing cycle following 30 days notice.

Billing: Monthly subscriptions are billed in advance on a recurring basis. You authorize us to charge your payment method for the applicable fees.

Cancellation: You may cancel at any time through your account settings. Your subscription remains active until the end of the current billing period. No refunds for partial periods or unused credits.

6. Limitation of Liability

To the maximum extent permitted by applicable law:

• No Guarantee of Completeness: Security scans are inherently limited. The Service does not guarantee that all vulnerabilities will be detected. A clean scan report does not mean an application is free of security issues.
• No Guarantee of Accuracy: Scan results may include false positives or miss certain types of vulnerabilities. Reports are informational and should not be treated as a substitute for professional security audits or penetration testing.
• No Liability for Remediation Outcomes: Remediation prompts and fix suggestions are provided as guidance. We are not responsible for any issues arising from the application of suggested fixes, including but not limited to data loss, downtime, or introduction of new issues.
• No Liability for Third-Party Actions: We are not liable for any unauthorized access, data breach, or other security incident affecting scanned applications, whether or not such incidents relate to vulnerabilities identified or missed by our Service.
• No Warranty: The Service is provided "as is" and "as available" without warranties of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose, or non-infringement.
• Maximum Liability: Our total liability for any claims arising from the Service shall not exceed the amount you paid us in the twelve (12) months preceding the claim.

These limitations apply even if we have been advised of the possibility of such damages. Mandatory consumer protection provisions under German or EU law remain unaffected.

7. Responsible Disclosure

If our scans identify critical vulnerabilities that pose an immediate risk to user data, we may disclose findings to the application owner with reasonable urgency. We follow responsible disclosure practices:

• Findings are communicated directly and privately to the application owner
• We do not publicly disclose vulnerabilities without the owner's consent
• We provide reasonable time for remediation before any follow-up
• We do not exploit or demonstrate vulnerabilities beyond proof of existence

8. User Conduct

You agree not to use the Service to:

• Violate any applicable laws or regulations
• Submit scan targets you know to be operated by entities that have explicitly prohibited scanning
• Use scan results to exploit vulnerabilities in any application
• Redistribute or publicly disclose scan reports for applications you do not own or operate without the owner's consent
• Interfere with or disrupt the Service or its infrastructure
• Attempt to gain unauthorized access to any part of the Service

9. Intellectual Property

The Service, its scanning methodology, report formats, and original content are owned by Supasec and protected by intellectual property laws. Scan reports are licensed to the account holder for their own use. You may share reports for applications you own or operate with your team, investors, or auditors.

10. Data and Privacy

Please review our Privacy Policy to understand how we collect, use, and protect data.

Regarding scanned applications: any data observed during scans is processed solely for generating security reports. We do not store, sell, or share user data from scanned applications beyond what is necessary for the report. Publicly exposed personal data discovered during scans (e.g. email addresses served by misconfigured database policies) is flagged in reports but not retained beyond the report lifecycle.

11. Service Availability

We strive to maintain high availability but do not guarantee uninterrupted access. We may perform maintenance, modify features, or temporarily suspend the Service for technical or security reasons.

Monitoring schedules are best-effort. We do not guarantee specific scan frequencies or response times for newly detected vulnerabilities.

12. Termination

Either party may terminate this agreement at any time. You may terminate by deleting your account. We may terminate or suspend your access immediately for breach of these Terms.

Upon termination, your right to use the Service ceases. We may delete your data in accordance with our retention policies and applicable law.

13. Changes to Terms

We may modify these Terms at any time. Material changes will be communicated by posting updated Terms and updating the "Last updated" date. Continued use after changes constitutes acceptance.

14. Governing Law and Jurisdiction

These Terms are governed by the laws of the Federal Republic of Germany.

For consumers within the European Union, mandatory consumer protection provisions of your country of residence apply where they provide greater protection.

Disputes shall be subject to the exclusive jurisdiction of the courts of Frankfurt am Main, Germany.

15. Severability

If any provision is found unenforceable, it shall be limited or eliminated to the minimum extent necessary. Remaining provisions remain in full force.

16. Contact

Questions about these Terms:
Email: support@supasec.co