Terms of Service

Intake

Effective Date: March 29, 2026

These Terms of Service ("Terms") are a legal agreement between you and Intake Security, Inc. ("Intake Security," "we," "us," or "our"). They govern your access to and use of the Intake platform, including our website, cloud-hosted service, APIs, and documentation (collectively, the "Service").

By creating an account, submitting a vulnerability report, or otherwise using the Service, you agree to these Terms. If you are using the Service on behalf of an organization, you represent that you have authority to bind that organization to these Terms.

If you do not agree, do not use the Service.

1. Description of Service

Intake is a platform that enables organizations to create and manage their own vulnerability disclosure programs ("VDPs") and bug bounty programs ("BBPs"), including receiving, triaging, and resolving security vulnerability reports from reporters. The Service includes:

Program pages — branded public pages where organizations publish their vulnerability disclosure policies, scope, and submission forms.
Triage dashboard — a management interface for reviewing, prioritizing, and resolving submitted reports.
AI-assisted features — optional AI capabilities including response drafting, auto-triage, and report analysis, powered by third-party large language model providers (see Section 9).
Inbound email — email-based report submission and communication.
Integrations — connections to third-party tools (e.g., Jira, Slack) for workflow automation.
Audit logging — immutable activity logs in Open Cybersecurity Schema Framework (OCSF) format.

We may modify, update, or discontinue features of the Service at any time. We will provide reasonable notice for changes that materially reduce functionality available under your current subscription.

2. User Types and Eligibility

The Service supports two classes of users:

A. Organizations ("Customers")

Organizations subscribe to the Service to operate vulnerability disclosure programs. By subscribing, you agree to:

Designate at least one authorized administrator for your account.
Provide accurate organization and billing information.
Respond to submitted vulnerability reports in a timely and professional manner.
Comply with all applicable laws governing vulnerability disclosure in your jurisdiction.
Confirm that you possess all necessary rights and authorizations to permit security testing on any systems, software, or infrastructure listed in your program scope. You are solely responsible for ensuring that your program does not authorize testing on systems you do not own or control without the third party's consent.

B. Reporters

Reporters use the Service to submit vulnerability reports to organizations. By using the Service, you agree to:

Comply with the program policy published by each organization you submit reports to. Program policies are set by the organization, not by Intake Security.
Use the Service only for legitimate vulnerability reporting purposes.
Not use the Service to harass, extort, or threaten organizations or individuals.

Reporters must be at least 18 years of age to use the Service.

3. Account Registration and Security

To access the Service, you must create an account.

You agree to provide accurate, current, and complete information during registration.
You are solely responsible for maintaining the confidentiality of your credentials and for all activities that occur under your account.
You must enable two-factor authentication (2FA) if required by your organization's security policy.
You must notify us immediately at [email protected] if you suspect unauthorized access to your account.

We are not liable for any loss arising from unauthorized use of your account where you have failed to maintain adequate credential security.

4. Subscriptions, Billing, and Payments

A. Plans

The Service is available under three plans:

Free — includes core vulnerability disclosure program management features at no cost, including AI-powered report structuring, duplicate detection, spam filtering, and up to 3 team members.
Starter — includes AI-powered triage (severity classification, priority suggestion, CWE identification), Slack integration, and up to 5 team members. Billed monthly.
Pro — includes the full AI suite (action proposals, remediation plans, learning loop, trend insights), Jira integration, API webhooks, custom branding, and unlimited team members. Billed monthly or annually.

Feature availability varies by plan and is described on our pricing page. We reserve the right to change pricing with 30 days' notice before your next billing cycle.

A-1. Free Trial

New accounts receive a 14-day free trial of Pro-level features. No credit card is required. When the trial expires, your account automatically downgrades to the Free plan. Your data remains accessible — AI-generated analysis from the trial period is preserved but AI-powered features beyond the Free tier will no longer be available until you subscribe to a paid plan.

B. Billing

Paid subscriptions are billed in advance on a recurring basis. Starter plans are billed monthly. Pro plans may be billed monthly or annually, as selected at the time of purchase.
Payment is processed by Stripe. We do not directly store your credit card information.
Your subscription renews automatically at the end of each billing cycle unless you cancel before the renewal date.

C. Taxes

You are responsible for all applicable taxes. If we are required to collect taxes, they will be added to your invoice.

D. Cancellation and Refunds

You may cancel your subscription at any time from your account settings. Upon cancellation:

You retain access to paid features until the end of your current billing period.
Payments are non-refundable, except where required by applicable law.
Your data remains available for export for 30 days after your subscription ends, after which it may be deleted.

5. Acceptable Use

You agree not to use the Service to:

Violate any applicable local, state, national, or international law or regulation.
Submit fraudulent or fabricated vulnerability reports.
Conduct vulnerability testing against systems without authorization from the system owner.
Upload malicious code intended to harm the Service, other users, or third parties.
Attempt to reverse engineer, decompile, or gain unauthorized access to the Service's infrastructure.
Circumvent access controls, rate limits, or other security mechanisms of the Service.
Use the Service to harass, threaten, or extort organizations or individuals.
Transmit unsolicited communications, spam, or phishing content through the Service.
Resell, sublicense, or redistribute access to the Service without our written consent.
Impersonate another person or entity, or misrepresent your affiliation with any person or entity.

We reserve the right to suspend or terminate your account immediately, without prior notice, if we determine you have violated these rules.

Export Controls and Sanctions

The Service is operated from the United States. You may not use the Service if you are located in, or a national or resident of, any country subject to U.S. trade sanctions or embargoes, or if you are listed on the U.S. Treasury Department's Specially Designated Nationals (SDN) list, the U.S. Commerce Department's Denied Persons List, or any other applicable restricted party list. You represent and warrant that your use of the Service complies with all applicable U.S. export control and sanctions laws.

6. Vulnerability Report Handling

A. Report Ownership

Vulnerability reports submitted through the Service are provided by the reporter to the organization operating the relevant program. Intake Security acts solely as a platform facilitator and does not claim ownership of report content.

B. Program Policies

Organizations are solely responsible for defining and publishing their own program policies, including scope, rules of engagement, disclosure timelines, and safe harbor terms. Intake Security does not set, enforce, or mediate program policies on behalf of organizations.

C. Intake's Role

Intake Security does not verify, validate, or guarantee the accuracy of vulnerability reports. We do not mediate disputes between organizations and reporters. We may, however, remove content that violates these Terms or applicable law.

7. Intellectual Property

A. Our Intellectual Property

Intake Security owns all rights, title, and interest in and to the Service, including its software, design, branding, documentation, and original content.

B. Your Data

You retain all ownership rights to the data, text, files, attachments, and content you upload or create using the Service ("User Data"). By using the Service, you grant us a limited license to host, store, process, and transmit your User Data solely for the purpose of providing and improving the Service.

We will not use your User Data for advertising, sell it to third parties, or share it except as described in these Terms and our Privacy Policy.

C. Feedback

If you provide suggestions, ideas, or feedback about the Service, we may use it without obligation or compensation to you.

8. Data Security and Encryption

We take the security of vulnerability data seriously. Our security measures include:

Encryption in transit — all data transmitted between you and the Service is encrypted using TLS.
Encryption at rest — sensitive data, including organization secrets and API keys, is encrypted using AES-256-GCM envelope encryption with per-organization key isolation.
Multi-tenant isolation — organization data is logically isolated using PostgreSQL Row-Level Security (RLS) and application-level access controls.
Audit logging — all significant actions are logged in OCSF v1.3.0 format for compliance and forensic purposes.
Access controls — role-based access control (RBAC) with owner, admin, triager, and viewer roles.

While we implement industry-standard security practices, no system is perfectly secure. We cannot guarantee that the Service will be immune to all security threats.

9. Third-Party Services and AI Features

A. Third-Party Integrations

The Service may integrate with third-party services such as issue trackers (e.g., Jira), messaging platforms (e.g., Slack), identity providers (e.g., GitHub, Google, Microsoft via OIDC), and payment processors. Your use of any third-party service is governed by that service's own terms and privacy policies. Intake Security is not responsible for the availability, accuracy, or practices of any third-party service. We do not endorse or guarantee any third-party integration.

B. AI-Powered Features

The Service includes optional AI-powered features that use third-party large language model (LLM) providers to assist with report triage, response drafting, and analysis.

When AI features are enabled, relevant portions of vulnerability report data (such as report descriptions, titles, and metadata) may be sent to the LLM provider you have configured for processing. Supported providers include OpenAI, Anthropic, and Google (Gemini).

C. Your Control

AI features are enabled by default. During the 14-day free trial, all AI features are active at Pro level. After the trial, available AI features depend on your plan tier.
API keys for third-party LLM providers are managed by Intake Security and encrypted at rest. Organizations do not need to provide or manage their own keys.
Organizations can configure synthesis mode (manual or automatic) and enable or disable auto-triage from their settings.

D. Third-Party Provider Terms

When you enable AI features, your use of third-party LLM providers is also subject to those providers' terms of service and privacy policies. Intake Security is not responsible for how third-party providers process data sent to their APIs. We recommend reviewing your chosen provider's data retention and training policies.

E. No Guarantee of AI Output

AI-generated content (such as suggested responses or triage classifications) is provided as a convenience. It may be inaccurate, incomplete, or inappropriate. You are solely responsible for reviewing and approving any AI-generated content before it is sent to reporters or used to make triage decisions.

10. Disclaimer of Warranties

THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, INTAKE SECURITY EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

WE DO NOT WARRANT THAT:

THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE;
VULNERABILITY REPORTS SUBMITTED THROUGH THE SERVICE WILL BE ACCURATE OR COMPLETE;
AI-GENERATED CONTENT WILL BE CORRECT OR APPROPRIATE; OR
THE SERVICE WILL MEET YOUR SPECIFIC REQUIREMENTS.

11. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, INTAKE SECURITY SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, WHETHER INCURRED DIRECTLY OR INDIRECTLY, REGARDLESS OF WHETHER WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

IN NO EVENT SHALL OUR AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE EXCEED THE GREATER OF:

(A) THE TOTAL AMOUNT YOU PAID US FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM; OR
(B) ONE HUNDRED U.S. DOLLARS ($100.00).

THESE LIMITATIONS APPLY TO ALL CAUSES OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE.

12. Indemnification

You agree to indemnify, defend, and hold harmless Intake Security and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to:

Your use of the Service in violation of these Terms.
Your violation of any applicable law or regulation.
Any vulnerability report you submit or receive through the Service.
Any dispute between you and another user of the Service.
Your use of AI features and any reliance on AI-generated content.

13. Termination

A. By You

You may terminate your account at any time through your account settings or by contacting us at [email protected].

B. By Us

We may suspend or terminate your access to the Service at our sole discretion, with or without notice, for any reason, including but not limited to:

A breach of these Terms.
Conduct that we reasonably believe is harmful to other users, third parties, or the Service.
Extended inactivity on a free-tier account (180 days or more).
Failure to pay applicable fees.

C. Effect of Termination

Upon termination:

Your right to access the Service ceases immediately.
We may delete your data after a reasonable retention period (30 days), except where we are required by law to retain it.
Provisions that by their nature should survive termination (including Sections 7, 10, 11, 12, and 14) will continue to apply.

14. Governing Law and Dispute Resolution

These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict-of-law provisions.

Any dispute arising out of or relating to these Terms or the Service shall be resolved exclusively in the state or federal courts located in the State of Delaware. You consent to the personal jurisdiction of those courts.

Class Action Waiver. To the maximum extent permitted by applicable law, you agree that any dispute resolution proceedings will be conducted only on an individual basis and not in a class, consolidated, or representative action. You waive any right to participate in a class action lawsuit or class-wide arbitration against Intake Security. If this waiver is found to be unenforceable for a particular claim, that claim must be severed and proceed individually.

15. Changes to These Terms

We may update these Terms from time to time. If we make material changes, we will notify you by email or through a prominent notice within the Service at least 30 days before the changes take effect.

Your continued use of the Service after the effective date of updated Terms constitutes your acceptance of those changes. If you do not agree to the updated Terms, you must stop using the Service and terminate your account.

16. General Provisions

Entire Agreement. These Terms, together with our Privacy Policy, Data Processing Addendum (DPA), Service Level Agreement (SLA), and any applicable subscription agreement, constitute the entire agreement between you and Intake Security regarding the Service. Where a separate DPA or SLA has been executed, its terms control in the event of a conflict with these Terms on the subject matter it covers.
Severability. If any provision of these Terms is found to be unenforceable, the remaining provisions will continue in full force and effect.
Waiver. Our failure to enforce any right or provision of these Terms does not constitute a waiver of that right or provision.
Assignment. You may not assign or transfer these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.
Force Majeure. We are not liable for any failure or delay in performing our obligations where such failure or delay results from circumstances beyond our reasonable control, including natural disasters, war, terrorism, pandemics, government actions, or internet or infrastructure failures.
Electronic Communications Consent. By using the Service, you consent to receiving communications from us electronically, including by email and in-app notifications. You agree that all notices, agreements, and other communications we provide electronically satisfy any legal requirement that such communications be in writing.
Notices. We will send notices to the email address associated with your account. You are responsible for keeping your email address current.

17. Contact Us

If you have questions about these Terms, please contact us at:

Email: [email protected]
Security issues: [email protected]

These Terms of Service were last updated on March 29, 2026.