Terms of Service
Last updated 2026-07-09
1. Acceptance
These Terms govern your use of breach403 (the "Service"), operated by Bent Eisheuer. By starting a scan, creating an account, or purchasing credits, you accept these Terms. If you do not agree, do not use the Service. You must be at least 18 years old, or the age of legal majority in your jurisdiction if higher, and have the legal capacity to enter into this agreement, to use the Service.
2. What the Service does
breach403 runs an automated external security scan against a website and produces a plain-language report of what it found: exposed configuration files, missing security headers, outdated software, weak TLS or DNS/email settings, and similar misconfigurations. Every check is non-destructive: read-only or idempotent requests only (see §4). A free tier produces a deterministic (non-AI) report at no cost; a paid tier (bought as credits, see §6) unlocks a plain-language report and per-finding fix guidance that an AI model rewrites from those same findings.
What the scan does today.The scan maps your site's reachable surface and inspects it through observation and safe, read-only requests: it retrieves pages and files, reads response headers and TLS certificates, and checks DNS and email-authentication records. It does not currently perform active injection testing (for example, sending crafted cross-site-scripting or SQL-injection probes to your parameters). That deeper, active testing is a capability that is presently disabled for all users. If it is ever enabled, it will run only against a domain whose ownership you have proven, and only after you give a separate, explicit authorization for active testing at that time. It is never switched on silently.
Current scope. Every scan today is passive and non-destructive — read-only or idempotent requests only (see §4) — and runs only against a domain whose ownership you have verified (§3). We do not currently perform active injection testing, and we never scan a domain you have not proven you control.
The Service is not a certification, a penetration-test sign-off, or a guarantee of security. It reports what our automated checks observed at the time of the scan. A clean report does not mean your site has no vulnerabilities. It only means our checks did not find one. You remain solely responsible for the security of your own systems.
3. You must own or be authorized to scan the target: this is the core rule
By submitting a domain and completing our ownership-verification process, you represent and warrant that you own that domain, or you are its authorized operator with the legal right to commission a security test of it. Ownership verification (a DNS TXT record, an HTML meta tag, or a file you place on the domain) is how you demonstrate this to us. It is not a substitute for actually having that authorization. Submitting a domain you do not own or control, or falsely claiming authorization on someone else's behalf, is a breach of these Terms and may itself be unlawful (e.g. under the German Criminal Code, §§ 202a to 202d StGB, or equivalent laws elsewhere).
We re-verify your proof of ownership immediately before every scan, not only when you first submit the domain, because verification can lapse (a DNS record can be removed, a domain can change hands). A scan will not run if re-verification fails.
Authorization you give. By completing ownership verification and starting a scan, you authorize breach403 to run its automated, non-destructive scan (as described in §2) against the verified domain and its subdomains. As stated in §2, the scan today performs only read-only or idempotent requests; the deeper, active injection testing described there is currently disabled, and if it is ever enabled it will require a separate, explicit authorization from you at that time. We never test any domain, subdomain, or system outside the ownership boundary you verified.
Third-party hosting & infrastructure. Owning or controlling a domain is not, by itself, authorization to security-test the infrastructure it runs on if that infrastructure belongs to someone else (e.g. a cloud host, CDN, or platform provider). You are responsible for ensuring your use of the Service also complies with any separate terms your hosting or infrastructure providers impose on security testing of systems they operate.
Indemnification. You agree to indemnify, defend, and hold Bent Eisheuer harmless from and against any claim, demand, loss, liability, damage, or cost (including reasonable legal fees) arising out of or related to your breach of this section — in particular any claim by the actual owner or operator of a domain that you caused it to be scanned without their authorization, and any claim by a hosting or infrastructure provider that your use of the Service violated terms you owed them independently of your relationship with us. This obligation survives the end of your use of the Service.
4. What the Service will never do
Every check the Service performs is designed to be non-destructive: read-only or idempotent requests only. The Service does not, and will not, attempt to: cause a denial of service or degrade the target's availability; modify, delete, or exfiltrate data on the target; attempt to actually exploit a detected vulnerability (as opposed to safely detecting it); or submit credentials to any login form it finds. Rate limits, timeouts, and a guard against scanning private/internal network addresses are enforced automatically. This floor is absolute. It is never relaxed to go "deeper," on any tier of the Service.
5. Accounts
You can use the free scan without creating an account (an anonymous session is created automatically). Unlocking the AI-powered report requires a real account (email and password). You are responsible for keeping your account credentials confidential and for all activity under your account. Notify us promptly at legetdev@gmail.com if you suspect unauthorized access.
6. Payment & credits
AI-scan credits are a pay-per-use purchase (not a subscription): a fixed pack of credits for a one-time price, each credit unlocking one AI-enhanced report. Credits do not expire unless stated otherwise at the time of purchase. Purchases are processed by Lemon Squeezy, acting as merchant of record. Lemon Squeezy is the seller for these transactions, handles payment and applicable VAT, and its own terms govern the payment itself. See Refund & Withdrawal for your cancellation rights on a purchase.
The free deterministic scan is, and will remain, free. It does not require payment or a credit balance.
7. Acceptable use
You agree not to:
- Submit a domain you do not own or are not authorized to have tested (§3).
- Use the Service to scan, probe, or otherwise test any system other than the domain you verified.
- Attempt to circumvent rate limits, the ownership-verification gate, or any other technical control.
- Use the Service, or any output it produces, to facilitate an attack against any third party.
- Resell, sublicense, or provide the Service to third parties as if it were your own product, without our prior written consent.
- Attempt to reverse-engineer, extract, or replicate the Service's detection logic or templates for a competing product.
- Use the Service for any purpose that is illegal under applicable law.
We may suspend or terminate an account, without refund of unused credits, if we have a good-faith basis to believe it has been used to violate this section, in particular evidence that a scanned target was not actually authorized.
8. Third-party services
The Service relies on third-party infrastructure and AI providers (see Privacy Policy for the full list). We are not responsible for outages or errors originating in those third-party services, though we design the Service to degrade gracefully (e.g. falling back to a deterministic report if AI processing fails) rather than fail outright.
9. Intellectual property
The Service, its underlying software, and its content (excluding your own scan results and any third-party open-source components it uses) are our property or licensed to us. We grant you a limited, non-exclusive, non-transferable right to use the Service for its intended purpose. Your scan reports and findings are yours to use as you see fit.
10. Warranty disclaimer & limitation of liability
The Service is provided "as is" and on a best-effort basis. To the maximum extent permitted by law, we disclaim all warranties, express or implied, including fitness for a particular purpose and non-infringement. We are not liable for indirect, incidental, or consequential damages arising from your use of the Service or reliance on its reports.
Nothing in these Terms limits or excludes any liability that cannot be limited or excluded under German law, including liability for intent or gross negligence, injury to life, body, or health, or any statutory right you have as a consumer that is not waivable by agreement (e.g. under the BGB). For ordinary negligence, our liability is limited to foreseeable damages typical for a service of this kind, and, where legally permissible, capped at the amount you paid us in the twelve months preceding the claim.
11. Term & termination
You may stop using the Service at any time; email legetdev@gmail.com to request deletion of your account and its data. We may suspend or terminate access for breach of these Terms (in particular §3 and §7), or discontinue the Service with reasonable notice where feasible. Purchased credits already consumed are non-refundable except as described in Refund & Withdrawal.
12. Changes to these Terms
We may update these Terms as the Service evolves. Material changes will be reflected on this page with an updated date; continued use after a change constitutes acceptance of the updated Terms.
13. Governing law
These Terms are governed by the laws of Germany, excluding its conflict-of-law rules. If you are a consumer habitually resident in another EU member state, you also retain the benefit of any mandatory consumer-protection provisions of that state's law.
14. Severability
If any provision of these Terms is found unenforceable, the remaining provisions stay in full effect, and the unenforceable provision will be read to most closely match its original intent within the limits of applicable law.
15. Contact
legetdev@gmail.com. See also the Imprint.