Vulnotes – Terms of Use

1. Identity of the Provider

The Service is provided by:

Hippolyte QUERE, acting as a sole trader (micro-entrepreneur / auto-entrepreneur) under French law, operating under the trade name Vulnotes ("Vulnotes", "we", "us", or the "Provider").

Legal and contact information (including registered address and regulatory notices) are available in the Legal Notice on the Website.

2. Scope of the Service and Target Users

The Service is primarily intended for professional users and organizations (e.g. security teams, penetration testers, companies), but is also available to individual users, including consumers, where permitted by applicable law.

By using the Service, you represent and warrant that:

• you are at least 16 years old; and
• if you are using the Service on behalf of a company or other legal entity, you have the authority to bind that entity to these Terms, in which case "you" and "your" will refer to that entity.

The Service is made available worldwide, subject to any technical or legal restrictions and export control rules that may apply.

3. Description of the Service

3.1 General

Vulnotes is a software tool designed to help write penetration testing ("pentesting") reports. It provides features including, but not limited to:

• collaborative workspaces and note-taking,
• AI-assisted content generation and drafting,
• report structure and design tools,
• organization and management of findings and notes.

The Service is available:

• as a hosted SaaS solution operated by Vulnotes ("Hosted Service"), and
• as a self-hosted version, which you deploy on your own infrastructure ("Self-Hosted Version").

Unless otherwise specified, references to the "Service" in these Terms include both the Hosted Service and the Self-Hosted Version, to the extent technically applicable.

3.2 No Professional Advice

The Service is a software tool and does not constitute legal, security, compliance, or professional advice. You remain solely responsible for any decisions, conclusions or reports produced using the Service.

4. Account Registration and Access

4.1 Account Creation

To use the Service, you must purchase a license and create an account (the "Account") via:

• email and password

You agree to provide true, accurate, current and complete information during registration and to keep this information updated.

4.2 Organization Accounts and Roles

The Service may allow the creation of organizations / workspaces with different roles, such as an "organization admin" and end users (team members).

• The organization admin is responsible for managing the workspace, inviting users, assigning roles, and ensuring compliance with these Terms.
• You acknowledge that your access may depend on your organization's decisions (for example, removal of your access, changes to your role, or termination of the subscription).

4.3 Security of Credentials

You are responsible for maintaining the confidentiality and security of your credentials and any authentication methods used to access the Service.

• You must implement and maintain appropriate security measures and are strongly encouraged to enable two-factor authentication (2FA) where available.
• You must promptly notify Vulnotes at contact@vulnotes.com if you suspect any unauthorized access to your Account.

You are responsible for all activities carried out through your Account unless you have promptly notified Vulnotes of a suspected compromise.

5. Acceptable Use

5.1 General Rules

You agree to use the Service in compliance with:

• these Terms,
• applicable laws and regulations, and
• any additional policies referenced by Vulnotes.

You must not:

1. use the Service for unlawful purposes or to store, process or transmit content that is illegal, harmful, fraudulent, defamatory, hateful, or infringing;
2. use the Service to store or process personal data in violation of applicable data protection laws;
3. use the Service to send unsolicited messages, spam or malicious content;
4. upload or distribute malware, viruses, or any code intended to damage or interfere with systems or data;
5. attempt to access Accounts, data or systems you are not authorized to access;
6. circumvent or attempt to circumvent security mechanisms or access controls, except as expressly permitted under a responsible disclosure / security testing policy as described below;
7. reverse engineer, decompile, disassemble or attempt to derive the source code of the Service, except to the extent allowed by mandatory law or Vulnotes;
8. perform automated scraping or large-scale data extraction from the Service, except as expressly authorized in writing by Vulnotes.

5.2 Security Research and Responsible Disclosure

Vulnotes encourages responsible security research aimed at improving the security of the Service.

• Attempts to test or identify vulnerabilities in Vulnotes are only permitted under the conditions described in the /security.txt file published on the Website or any separate responsible disclosure policy specified there.
• You must carefully respect the scope, rules, and restrictions defined in that file/policy, including but not limited to:
  • not impacting availability for other users,
  • not accessing, modifying or exfiltrating other customers' data,
  • not performing denial-of-service attacks, and
  • promptly and confidentially reporting vulnerabilities to Vulnotes.

Any activity outside the rules defined in /security.txt and applicable law is strictly prohibited and may result in suspension or termination of your Account and possible legal action.

6. Intellectual Property

6.1 Vulnotes' Rights

The Service, including the website, software (source and object code), architecture, design, user interfaces, documentation, and all related content (the "Vulnotes Materials") are protected by intellectual property laws.

Subject to your full compliance with these Terms and payment of applicable fees (as defined in the applicable commercial terms or Conditions of Sale), Vulnotes grants you a limited, non-exclusive, non-transferable, non-sublicensable and revocable license to access and use the Service solely for your internal professional or personal needs.

No intellectual property rights are assigned or transferred to you under these Terms. You may not copy, modify, adapt, translate, distribute, sell, lease, or create derivative works of the Vulnotes Materials, except as expressly allowed by Vulnotes or by mandatory law.

The use of the name "Vulnotes" as a trade name or brand does not imply any particular registration status; all rights in and to the brand and associated logos remain with Vulnotes.

6.2 User Content and Data

You may store, upload or otherwise provide content and data through the Service, including notes, findings, reports and other materials ("User Content").

• Ownership: As between you and Vulnotes, you (or your organization) retain ownership of your User Content.
• License to Vulnotes: You grant Vulnotes a non-exclusive, worldwide, royalty-free license to host, store, process, display, and backup your User Content as necessary to:
  • provide, maintain and improve the Service, and
  • comply with legal obligations (including retention and security).

You represent and warrant that you have all necessary rights, licenses and permissions to submit and use User Content in connection with the Service and to grant the above license.

7. Third-Party Services and AI

7.1 Third-Party Services and Integrations

Vulnotes may integrate or interoperate with third-party services (for example, identity providers for SSO, AI providers, and other tools). Your use of such third-party services may be subject to their own terms and privacy policies.

You are responsible for reviewing and complying with any applicable third-party terms. Vulnotes has no control over, and is not responsible for, third-party services.

7.2 Use of Mistral AI

For some AI-powered features, Vulnotes uses Mistral AI as a third-party AI provider. These features may involve sending portions of your input or User Content to Mistral AI for processing.

• You can disable AI features in the administration interface if you do not wish your data to be processed by Mistral AI.
• Details about data processing, including the role of third-party processors such as Mistral AI, are provided in the Privacy Policy.

By enabling and using AI features, you acknowledge and accept that your data will be processed as described in the Privacy Policy and by Mistral AI in accordance with its terms.

8. Service Availability, Maintenance and Updates

8.1 Hosted Service

Vulnotes will make reasonable efforts to ensure the availability and proper functioning of the Hosted Service. However, no specific service level (SLA) or uptime guarantee is provided under these Terms unless otherwise agreed in a separate written agreement.

The Service may be temporarily suspended or limited due to:

• maintenance and updates (planned or emergency),
• technical issues, security incidents or unexpected outages,
• factors beyond Vulnotes' reasonable control.

Where reasonably possible, Vulnotes will inform users of planned maintenance that may significantly impact availability.

8.2 Updates and Changes

Vulnotes may modify, update, or discontinue certain features of the Service at any time, in particular to:

• improve performance or security,
• comply with legal requirements, or
• adapt to technical or business constraints.

Some features may be offered as beta or experimental. Such features are provided "as is", without any guarantee, and may be modified or removed at any time.

9. Self-Hosted Version

9.1 Deployment and Responsibility

For the Self-Hosted Version, Vulnotes provides software (for example, packages, images or code) that you deploy on your own infrastructure.

You are solely responsible for:

• selecting, provisioning and managing the infrastructure (hardware, OS, network, etc.),
• installing, configuring and operating the Self-Hosted Version,
• implementing appropriate security measures, including firewalls, access control, encryption, and monitoring,
• setting up and maintaining backups, redundancy and disaster recovery,
• complying with all applicable laws and regulations relating to your environment.

Vulnotes is not responsible for security incidents, data loss, performance issues or any other problems that result from your infrastructure, configuration choices, or failure to implement appropriate security and backup measures.

9.2 Updates and Security Patches

Vulnotes may provide updates, patches or new releases of the Self-Hosted Version.

Unless otherwise agreed:

• Vulnotes makes no commitment to provide updates for any specific duration, and
• you are responsible for installing updates and security patches in a timely manner.

Vulnotes cannot be held liable for any incident or damage resulting from your failure to apply updates or security patches.

9.3 Support

Unless otherwise specified in separate commercial terms, Vulnotes provides best-effort support for the Self-Hosted Version, typically via email or other communication channels indicated on the Website.

Support does not include, unless expressly agreed:

• custom development or consulting,
• deep troubleshooting of your infrastructure or third-party components,
• obligations to achieve specific results.

10. Data Protection and Privacy

The collection and processing of personal data in connection with the Service are governed by the Privacy Policy, which forms an integral part of these Terms.

The Privacy Policy explains in particular:

• what personal data is collected,
• the purposes and legal bases of processing,
• data retention periods,
• your rights as a data subject, and
• the use of third-party processors (including AI providers).

You agree to read the Privacy Policy carefully. In case of any conflict between these Terms and the Privacy Policy regarding the processing of personal data, the Privacy Policy will prevail.

11. Term and Termination

11.1 Duration

These Terms apply from the moment you access or use the Service and remain in effect as long as you have an Account or continue using the Service.

11.2 Termination by You

You may close your Account at any time, subject to any obligations related to fees and minimum terms that may apply under the applicable Conditions of Sale or subscription agreement.

Upon closure of your Account:

• Vulnotes may delete or anonymize your personal data and User Content after a period of 30 days, subject to legal retention obligations and technical limitations.
• After this period, your data may be permanently deleted and may no longer be recoverable.

If your Account is part of an organization workspace, data ownership and retention may be managed by your organization's admin; please contact them first for any deletion request.

11.3 Suspension and Termination by Vulnotes

Vulnotes may suspend or terminate your access to the Service, in whole or in part, with or without notice, if:

• you materially breach these Terms or any applicable policy,
• your use of the Service presents a security or legal risk,
• you engage in fraudulent or abusive behavior,
• required by law or by a competent authority, or
• you fail to pay applicable fees (as governed by the Conditions of Sale).

In case of termination for breach, Vulnotes may immediately deactivate your Account and block access to your data, subject to applicable laws and your rights as a consumer where relevant.

12. Limitation of Liability

Nothing in these Terms will exclude or limit liability where such exclusion or limitation is not permitted by applicable law, including in particular liability for death or personal injury caused by negligence, or for intentional misconduct.

To the maximum extent permitted by law:

1. Vulnotes shall not be liable for:
   • indirect, incidental, special, punitive or consequential damages;
   • loss of profits, revenue, opportunity, data or business;
   • any damage or loss resulting from:
     • your use of the Self-Hosted Version and your infrastructure,
     • your failure to apply updates or security patches,
     • your failure to implement appropriate security, access control or backups.
2. For business users (B2B), Vulnotes' total aggregate liability arising out of or in connection with the Service and these Terms, whether in contract, tort or otherwise, shall be limited to the total amount of fees paid by you to Vulnotes for the Service during the three (3) months preceding the event giving rise to the claim.

If you are a consumer, mandatory consumer protection rules may grant you additional rights and the above limitations may not fully apply. In any case, they will be interpreted in accordance with applicable consumer law.

13. Changes to the Terms

Vulnotes may amend these Terms from time to time, for example to reflect changes to the Service, legal requirements, or business practices.

• When significant changes are made, Vulnotes will take reasonable steps to inform you (for instance by email, in-app notification, or notice on the Website).
• Your continued use of the Service after the effective date of the updated Terms constitutes your acceptance of the changes.

If you do not agree to the updated Terms, you must stop using the Service and close your Account.

Vulnotes is not required to maintain an online public archive of previous versions of these Terms.

14. Applicable Law and Jurisdiction

These Terms are governed by French law, without prejudice to the mandatory consumer protection rules of the country where you reside (if you are a consumer in the EU/EEA).

Subject to such mandatory provisions:

• in case of a dispute and absent an amicable resolution, the courts of Rennes, France shall have exclusive jurisdiction.

Consumers are informed that they may be entitled to use a consumer mediation mechanism, as described in the applicable Conditions of Sale or Legal Notice, before bringing a claim before the courts.

15. Language

These Terms are drafted in English. If they are translated into other languages, the English version shall prevail in case of any discrepancy or interpretation issue.

16. Contact

For any question regarding these Terms or the Service, you may contact:

Vulnotes / Hippolyte QUERE

Email: contact@vulnotes.com