Last Updated: April 16, 2024
Modifications to this Agreement
From time to time, OpenCVE may modify this Agreement. Unless otherwise specified by OpenCVE, changes become effective for Customer upon renewal of Customer’s current Subscription Term or entry into a new Order. OpenCVE will use reasonable efforts to notify Customer of the changes through communications via Customer’s account, email or other means. Customer may be required to click to accept or otherwise agree to the modified Agreement before renewing a Subscription Term or entering into a new Order, and in any event, continued use of the Service after the updated version of this Agreement goes into effect will constitute Customer’s acceptance of such updated version. If OpenCVE specifies that changes to this Agreement will take effect prior to Customer’s next renewal or order (such as for legal compliance or product change reasons) and Customer objects to such changes, Customer may terminate the applicable Subscription Term and receive as its sole remedy a refund of any fees Customer has pre-paid for use of the applicable Service for the terminated portion of the Subscription Term.
BY INDICATING YOUR ACCEPTANCE OF THIS AGREEMENT OR ACCESSING OR USING THE SERVICE, YOU ARE AGREEING TO BE LEGALLY BOUND BY ALL TERMS, CONDITIONS AND NOTICES CONTAINED OR REFERENCED IN THIS AGREEMENT. IF YOU DO NOT AGREE TO THIS AGREEMENT OR ARE UNDER THE AGE OF 18, PLEASE DO NOT USE THE SERVICE.
OpenCVE offers a software-as-a-service solution designed to monitor, prioritize and alert Customer to vulnerabilities that affects Products and Vendors that the Customer subscribed in OpenCVE. These Services include subscriptions to Products and Vendors from OpenCVE database, viewing all the available and known CVE, monitoring and alerting the Customer based on the configurations made in OpenCVE by the Customer.
During the Subscription Term, Customer may access and use the Service only for its internal business purposes in accordance with any Scope of Use and the Documentation, the AUP and this Agreement. Exception is made for Customer qualified as Reseller, detailed in Section 19.
Only Users may access or use the Service. The Service is not intended for and should not be used by anyone under the age of 18. Customer must ensure that all its Users are over 18 years old. Each User must keep login credentials confidential and not share them with anyone else. Customer is responsible for its Users compliance with this Agreement and actions taken through their accounts (excluding misuse of accounts caused by OpenCVE’s breach of this Agreement). Customer will promptly notify OpenCVE if it becomes aware of any compromise of any User login credentials. OpenCVE uses User account information as described in its Privacy Policy, but the Privacy Policy does not apply to Service Data.
Customer will not (and will not authorize anyone else to) do any of the following:
If Customer has purchased a paid subscription to the Service, unless otherwise specified in an Order, during the Subscription Term, OpenCVE will provide Support by email at the email address provided in the Contract or the one specified for our Service, currently support@opencve.io. OpenCVE will use reasonable efforts to respond to Support requests during business hours. For free or unpaid subscriptions to the Service, please visit our Github Issue page.
Customer controls the types and amounts of Service Data (including what, if any, personal information is included) that are submitted to the Service through Customer’s configuration. Customer is responsible for its configuration and the Service.
Subject to this Agreement, and solely to the extent necessary to provide, maintain and improve the Service and Support to Customer, Customer grants OpenCVE the non-exclusive, worldwide right, during the term of this Agreement, to access, use, process, copy, perform, store and display Service Data. Solely to the extent reformatting Service Data for display in the Service constitutes a modification or derivative work, the foregoing license also includes the right to modify and create derivative works of Service Data. In addition to the rights granted above, OpenCVE may use Non-Identifying Data for Additional Uses. Only to the extent Customer so authorizes via its configuration of the Service, OpenCVE may use other elements of Service Data for Additional Uses; provided, however, that OpenCVE will not disclose any Service Data used in this manner externally unless it has been Aggregated or Anonymized.
Notwithstanding anything to the contrary in the Agreement, OpenCVE may collect and use Usage Data to operate, improve and support the Service and for Additional Uses. OpenCVE will not disclose Usage Data externally, including in benchmarks or reports, unless it has been Aggregated or Anonymized.
OpenCVE uses reasonable technical and organizational measures designed to protect the Service and Service Data.
Unless Customer and OpenCVE have entered into a DPA, Customer will not submit any Personal Data to the Service.
OpenCVE will store Service Data in datacenters located in France.
During the Subscription Term, Customer may delete its Service Data from the Service using deletion features described in the Documentation. After the Subscription Term, OpenCVE will delete Service Data in accordance with its standard schedule and procedures.
Customer is responsible for all Service Data, including its accuracy, and agrees to comply with Laws and the Documentation in using the Service. Customer represents and warrants that it has made all disclosures and has all rights, consents and permissions necessary to use Service Data with the Service and grant OpenCVE the rights in Section 4.2 (Data Use), all without violating or infringing Laws, third-party rights (including intellectual property, publicity or privacy rights) or any terms or privacy policies that apply to Service Data.
Customer must not use the Service with Sensitive Personal Information. Customer acknowledges that the Service is not intended to meet any legal obligations for these uses. OpenCVE has no liability for Sensitive Personal Information.
OpenCVE may suspend Customer’s access to the Service and related services:
OpenCVE does not provide any professional, consulting, work-for-hire, custom development or similar services of any type.
Unless otherwise set forth on the applicable Order, each Subscription Term will automatically renew for an equivalent period unless either party gives the other party notice of non-renewal before the current Subscription Term ends (with respect to Customer, in accordance with Section 8.5 below).
Fees are as described in each Order. Fees are invoiced on the schedule in the Order. Unless the Order provides otherwise, all fees are due within 30 days of the invoice date. Fees for renewal Subscription Terms are at OpenCVE’s then-current rates, regardless of any discounted pricing in a prior Order. Except as expressly otherwise set forth herein, all fees are non-refundable. All Fees are exclusive of any applicable sales or other taxes or similar fees imposed by any government authority. Customer will:
If Customer is purchasing the Service via credit card, debit card or other payment card ("Credit Card”), the following terms apply:
By providing Credit Card information and agreeing to purchase the Service, Customer hereby authorizes OpenCVE (or its designee) to automatically charge Customer’s Credit Card on the same date of each calendar month (or the closest prior date, if there are fewer days in a particular month) during the Subscription Term for all fees accrued as of that date (if any) in accordance with the applicable Order. Customer acknowledges and agrees that the amount billed and charged each month may vary depending on Customer’s use of the Service.
Customer acknowledges that for certain Credit Cards, the issuer of Customer’s Credit Card may charge a foreign transaction fee or other charges.
If a payment is not successfully settled due to expiration of a Credit Card, insufficient funds, or otherwise, Customer remains responsible for any amounts not remitted to OpenCVE and OpenCVE may, in its sole discretion, either:
Upon any termination, expiration or cancellation of a Subscription Term, OpenCVE will charge Customer’s Credit Card (or invoice Customer directly) for any outstanding fees for Customer’s use of the Service during the Subscription Term, after which OpenCVE will not charge Customer’s Credit Card for any additional fees.
If Customer does not want to renew a subscription, Customer must cancel its account(s)/subscription(s) from its account settings. An email request to cancel Customer’s account is not considered notice of non-renewal. Any cancellation will take effect only at the end of Customer’s then-current Subscription Term, and Customer will continue to owe all fees (including, if applicable, monthly subscription fees) for the duration of the then-current Subscription Term. Notwithstanding the foregoing, OpenCVE reserves the right, at its sole and absolute discretion, to permit Customer to cancel its subscription immediately without further liability by making a lump-sum payment to OpenCVE that is equal to the upcoming three (3) months of subscription fees that Customer would otherwise have owed OpenCVE.
If Customer upgrades its plan or Scope of Use, we will immediately bill Customer for the applicable subscription fees. Downgrades will go into effect at the end of Customer’s then-current Subscription Term. There will be no refunds or credits for partial months of service, upgrade/downgrade refunds, or refunds for months unused with an open account. Downgrading account(s) may cause the loss of Service Data, features, or capacity of such account(s). We do not accept any liability for such loss.
The Service, Support and all related OpenCVE services are provided "AS IS”. OpenCVE and its suppliers make no other warranties, whether express, implied, statutory or otherwise, including warranties of merchantability, accuracy, fitness for a particular purpose, title or noninfringement. Unless otherwise expressly stated in this Agreement, OpenCVE does not warrant that Customer’s use of the Service will be uninterrupted or error-free, that OpenCVE will review Service Data for accuracy or that it will maintain Service Data without loss. OpenCVE is not liable for delays, failures or problems inherent in use of the Service or the Internet and electronic communications or other systems outside OpenCVE’s control or for use of the Service in High Risk Activities. Customer may have other statutory rights, but any statutorily required warranties will be limited to the shortest legally permitted period.
This Agreement starts on the Effective Date and continues until expiration, cancellation or termination of all Subscription Terms.
Either party may terminate this Agreement (including all Orders) if the other party:
Upon expiration or termination of this Agreement or an Order, Customer’s access to the Service will cease. At the disclosing party’s request upon expiration or termination of this Agreement, the receiving party will delete all the disclosing party’s Confidential Information (excluding Service Data, which is addressed in Section 4.7). Service Data and other Confidential Information may be retained in the receiving party’s standard backups after deletion but will remain subject to this Agreement’s confidentiality restrictions.
These Sections survive expiration or termination of this Agreement: 2.3 (Restrictions), 4.2 (Data Use), 5 (Customer Obligations), 8.2 (Fees and Taxes), 8.3 (Payment via Credit Card), 9 (Disclaimers), 10.3 (Effect of Termination), 10.4 (Survival), 11 (Ownership), 12 (Limitations of Liability), 13 (Indemnification), 14 (Confidentiality), 15 (Required Disclosures), 18 (General Terms) and 20 (Definitions). Except where an exclusive remedy is provided, exercising a remedy under this Agreement, including termination, does not limit other remedies a party may have.
Neither party grants the other any rights or licenses not expressly set out in this Agreement. Except for OpenCVE’s use rights in this Agreement, between the parties Customer retains all intellectual property and other rights in Service Data provided to OpenCVE. Except for Customer’s use rights in this Agreement, OpenCVE and its licensors retain all intellectual property and other rights in the Service and related OpenCVE technology, templates, formats, machine learning or large language models and dashboards, including any modifications or improvements to these items made by OpenCVE. If Customer provides OpenCVE with feedback or suggestions regarding the Service or other OpenCVE offerings, OpenCVE may use the feedback or suggestions without restriction or obligation.
Except for Excluded Claims, neither party (nor its suppliers) will have any liability arising out of or related to this Agreement for any loss of use, lost data, lost profits, failure of security mechanisms, interruption of business or any indirect, special, incidental, reliance or consequential damages of any kind, even if informed of their possibility in advance.
Except for Excluded Claims, each party’s (and its suppliers’) entire liability arising out of or related to this Agreement will not exceed in aggregate the amounts paid or payable by Customer to OpenCVE during the prior 12 months under this Agreement.
"Excluded Claims” means:
The waivers and limitations in this Section 12 apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
Customer will defend OpenCVE from and against any third-party claim to the extent resulting from Service Data or Customer’s breach or alleged breach of Section 5 (Customer Obligations) and will indemnify and hold harmless OpenCVE against any damages or costs awarded against OpenCVE (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the claim.
The indemnifying party’s obligations in this Section 13 are subject to receiving:
The indemnifying party may not settle any claim without the indemnified party’s prior consent if settlement would require the indemnified party to admit fault or take or refrain from taking any action (other than relating to use of the Service, when OpenCVE is the indemnifying party). The indemnified party may participate in a claim with its own counsel at its own expense.
"Confidential Information" means information disclosed to the receiving party under this Agreement that is designated by the disclosing party as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. OpenCVE’s Confidential Information includes the terms and conditions of this Agreement and any technical or performance information about the Service. Customer’s Confidential Information includes Service Data.
As a receiving party, each party will:
The receiving party may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know, provided it remains responsible for their compliance with this Section 14 and they are bound to confidentiality obligations no less protective than this Section 14.
These confidentiality obligations do not apply to information that the receiving party can document:
Unauthorized use or disclosure of Confidential Information may cause substantial harm for which damages alone are an insufficient remedy. Each party may seek appropriate equitable relief, in addition to other available remedies, for breach or threatened breach of this Section 14.
Nothing in this Agreement prohibits either party from making disclosures, including of Service Data and other Confidential Information, if required by Law, subpoena or court order, provided (if permitted by Law) it notifies the other party in advance and cooperates in any effort to obtain confidential treatment.
If Customer receives access to the Service or Service features on a no-charge, free or trial basis or as an alpha, beta or early access offering ("No-Charge Products"), use of such No-Charge Products is permitted only during the period designated by OpenCVE (or if not designated, 30 days). No-Charge Products are optional and either party may terminate No-Charge Products at any time for any reason. No-Charge Products may be inoperable, incomplete or include features that OpenCVE may never release, and their features and performance information are OpenCVE’s Confidential Information. Notwithstanding anything else in this Agreement, OpenCVE provides no warranty, indemnity, service levels or Support for No-Charge Products and its liability for No-Charge Products will be none.
Neither party may publicly announce this Agreement except with the other party’s prior consent or as required by Laws. However, OpenCVE may include Customer and its trademarks in OpenCVE’s customer lists and promotional materials, issue a press release identifying Customer as a OpenCVE customer, inform other potential customers that Customer is a OpenCVE customer and identify Customer as a customer in other forms of publicity (including, without limitation, case studies, blog posts, OpenCVE’s website and OpenCVE’s Github page), but will cease such use at Customer’s written request.
Neither party may assign this Agreement without the prior consent of the other party, except that either party may assign this Agreement in connection with a merger, reorganization, acquisition or other transfer of all or substantially all its assets or voting securities (each, a "Change of Control"). If Customer assigns this Agreement in a Change of Control permitted under this Section, Customer will update all necessary details in Customer’s account settings. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each party’s permitted successors and assigns.
This Agreement is governed by the laws of France and by extend the European Union without regard to conflicts of laws provisions and without regard to the United Nations Convention on the International Sale of Goods. The jurisdiction and venue for actions related to this Agreement will be the French state and the local Tribunal of Lille, France. Both parties submit to the personal jurisdiction of those courts.
The prevailing party in any action to enforce this Agreement will be entitled to recover its attorneys’ fees and costs in connection with such action.
Except as set out in this Agreement, any notice or consent under this Agreement must be in writing and will be deemed given:
Either party may update its contact information with notice to the other party. Notices to OpenCVE must be sent to: Amber Security SAS, OpenCVE, Euratechnologies, 165 avenue de Bretagne, 59000 Lille, France (with a copy by email to hello@opencve.io). Notices to Customer will be sent to the address (if any) set forth in the Order or by email to Customer’s email set forth in the Order. OpenCVE may also send notices to Customer through the Service.
This Agreement (which includes all Orders, the Policies and, if applicable, the DPA) is the parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and "including” and similar terms are to be construed without limitation. This Agreement may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement.
Except as otherwise provided herein, any amendments, modifications or supplements to this Agreement must be in writing and signed by each party’s authorized representatives or, as appropriate, agreed through electronic means provided by OpenCVE. Nonetheless, with notice to Customer using reasonable means, OpenCVE may modify the Policies to reflect new features or changing practices, but the modifications will not materially decrease OpenCVE’s overall obligations during a Subscription Term. The terms in any Customer purchase order or business form will not amend or modify this Agreement and are expressly rejected by OpenCVE; any of these Customer documents are for administrative purposes only and have no legal effect.
Waivers must be signed by the waiving party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
Neither party is liable for any delay or failure to perform any obligation under this Agreement (except for a failure to pay fees) due to events beyond its reasonable control, such as a strike, blockade, war, act of terrorism, pandemic, riot, Internet or utility failures, refusal of government license or natural disaster.
OpenCVE may use subcontractors and permit them to exercise OpenCVE’s rights, but OpenCVE remains responsible for their compliance with this Agreement and for its overall performance under this Agreement.
The parties are independent contractors, not agents, partners or joint venturers.
Customer agrees to comply with all relevant French and E.U. export and import Laws in using the Service. Customer:
Elements of the Service are commercial computer software. If the user or licensee of the Service is an agency, department, or other entity of French or E.U. Government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Service or any related documentation of any kind, including technical data and manuals, is restricted by the terms of this Agreement. The Service was developed fully at private expense. All other use is prohibited.
If Customer obtained the Service through an authorized reseller of OpenCVE ("Reseller"), the following terms are applicable and will prevail in event of any conflict with any other provisions of this Agreement:
This Agreement is between OpenCVE and Customer and governs all access and use of the Service by Customer. Resellers are not authorized to modify this Agreement or make any promises or commitments on OpenCVE’s behalf, and OpenCVE is not bound by any obligations to Customer other than as set forth in this Agreement. OpenCVE is not party to (or responsible under) any separate agreement between Customer and Reseller and is not responsible for the Reseller’s acts, omissions, products or services.
Customer’s order details (e.g., Scope of Use and fees) will be as stated in the Order placed by Reseller with OpenCVE on Customer’s behalf. The Reseller is responsible for the accuracy of such Order.
The amount paid by Customer to the Reseller will be deemed the amount paid or payable by Customer to OpenCVE under this Agreement for purposes of Section 12 (Limitations of Liability).
Instead of paying OpenCVE, Customer will pay the applicable amounts to the Reseller, as agreed between Customer and the Reseller. If the Reseller fails to pay OpenCVE the applicable fees for Customer’s use of the Service, OpenCVE reserves the right to terminate the applicable Subscription Term for such Service and all related rights granted hereunder.
In the event Customer is entitled to a refund under this Agreement, Customer must request such refund through the Reseller. Any request sent directly to OpenCVE may be redirected to the Reseller. OpenCVE will refund any applicable fees to the Reseller and the Reseller will be solely responsible for refunding such fees to Customer, unless otherwise specified by OpenCVE. OpenCVE will have no further liability to Customer in the event the Reseller fails to refund such fees to Customer.
"Additional Uses" means any legitimate business purposes such as analytics, benchmarking, reporting and developing new products and services.
"Affiliate" means an entity directly or indirectly owned by, controlled by or under common control with a party, where "ownership” means the beneficial ownership of fifty percent (50%) or more of an entity’s voting equity securities or other equivalent voting interests and "control” means the power to direct the management or affairs of an entity.
"Aggregated or Anonymized” means de-identified or aggregated so that it does not individually identify Customer, its Users or any other person, and OpenCVE will not identify Customer as the source of such data.
"AUP” means the Acceptable Use Policy, the current version of which is at https://www.opencve.io/aup.
"Documentation” means OpenCVE’s usage guidelines and standard technical documentation for the Service, the current versions of which are at https://docs.opencve.io.
"DPA” means the Data Protection Addendum, if any, separately executed by the parties in connection with this Agreement.
"European Data Protection Legislation” means the data protection and privacy laws and regulations enacted in Europe and applicable to the Personal Data in question, including as applicable: (a) the GDPR; (b) the Federal Data Protection Act of 19 June 1992 (Switzerland); and/or (c) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time.
"GDPR” means European Union Regulation 2016/679, as may be amended, superseded or replaced from time to time.
"High Risk Activities” means activities where use or failure of the Service could lead to death, personal injury or environmental damage, including life support systems, emergency services, nuclear facilities, autonomous vehicles or air traffic control.
"Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data.
"Non-Identifying Data” means elements of Service Data that by their nature cannot be used to identify Customer or its Users. For avoidance of doubt, Non-Identifying Data will not include any Personal Data, source code, content or attachments.
"Order” has the meaning set forth in the second paragraph of this Agreement.
"Personal Data” means personal data or personal information (as those terms are defined by European Data Protection Legislation).
"Policies” means the Privacy Policy, Acceptable Use Policy or any other OpenCVE policies referenced in or attached to this Agreement.
"Privacy Policy” means the Privacy Policy for the relevant Service, the current versions of which are at https://www.opencve.io/privacy-policy.
"Scope of Use” means any monthly usage quota or seat allowance set forth in an Order.
"Sensitive Personal Information” means any (a) special categories of data enumerated in the GDPR, Article 9(1) or any successor legislation, (b) PHI, (c) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards (PCI DSS), (d) social security numbers, driver’s license numbers or other government ID numbers or (e) any data similar to the above protected under foreign or domestic laws.
"Service” means OpenCVE’s cloud service identified in the relevant Order or otherwise provided to Customer, as modified from time to time. The Service includes the Documentation.
"Service Data” means data collected that is reported to the Service by the Customers, such as the product, vendors or software, or any other data, content or materials that Customer (including its Users) submits to the Service.
"Subscription Term” means the term for Customer’s use of the Service as identified in an Order.
"Support” means technical support for the Service.
"Usage Data” means technical logs, data and other learnings about Customer’s and its Users’ configuration and use of the Service, such as Vendors and Products information, Subscriptions and Notifications content in use.
"User” means any employee or contractor of Customer or its Affiliates that Customer allows to use the Service on its behalf.